AzPolicyAdvertizer

last sync: 2025-Jul-11 17:24:21 UTC

Changes on Azure Policy definitions

Category Id DisplayName Description Effect Roles used Subject Change Date (UTC ymd) (i) Type
Health Bot 96561daf-13ae-4008-9300-638df7e6a11a Azure Health Bots should use Azure RBAC as their access control method Have a more precise and robust control over access control for your healthcare agents, by setting Azure RBAC as your access control method. Roles are assigned through the Access Control blade in your resource page, groups can be leveraged to share permissions, and custom roles can be authored to cater for specific use cases. Learn more at https://docs.microsoft.com/azure/health-bot/cmk Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2025-07-11 17:24:21 BuiltIn
Cognitive Services aafe3651-cb78-4f68-9f81-e7e41509110f [Preview]: Cognitive Services Deployments should only use approved Registry Models Restrict the deployment of Registry models to control externally created models used within your organization Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-07-11 17:24:21 BuiltIn
Planetary Computer 9fac9537-cba6-480a-97dc-21a93c1aa055 Microsoft Planetary Computer Pro GeoCatalogs should use a managed identity Assigning a managed identity to a Planetary Computer GeoCatalog lets it securely access source Storage accounts (Storage Blob Data Reader) for data ingestion without you managing secrets. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-07-07 17:23:16 BuiltIn
Monitoring 98903777-a9f6-47f5-90a9-acaf62ab01a8 [Preview]: Configure subscriptions to enable service health alert monitoring rule Assignable at the subscription or management group level, this policy ensures that each subscription has a service health alert rule configured with alert conditions and mapping to action groups as specified in the policy parameters. By default creates a resource group, alert rule and action group configured to send emails to subscription owners for all service health events. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
•unknown Id
add
 new Policy 2025-07-07 17:23:16 BuiltIn
Monitoring e2dd799a-a932-4e9d-ac17-d473bc3c6c10 Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images Reports virtual machine scale sets as non-compliant if the virtual machine image is in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2025-07-07 17:23:16 BuiltIn
Network fe8a9af4-a003-4c7d-b7a4-b9808310c4f8 Public IPs and Public IP prefixes should have FirstPartyUsage tag Ensure all Public IP addresses and Public IP Prefixes have a FirstPartyUsage tag. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2025-07-07 17:23:16 BuiltIn
Guest Configuration fe4e11ff-f561-4d4a-877c-256cc0b6470e [Preview]: Audit SSH security posture for Windows This policy audits SSH server security configuration on Windows Server 2025 machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://learn.microsoft.com/azure/osconfig/overviewsshposture-control-windows. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2025-07-07 17:23:16 BuiltIn
Security Center 359a48a3-351a-4618-bb32-f1628645694b Configure Microsoft Defender threat protection for AI Services New capabilities are continuously being added to threat protection for AI Services, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Minor (1.0.0 > 1.1.0) 2025-07-07 17:23:16 BuiltIn
Guest Configuration 42830b63-79aa-4ea5-85dc-6baa719d7d7c [Preview]: Configure SSH security posture for Windows This policy configures SSH server security configuration on Windows Server 2025 machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://learn.microsoft.com/azure/osconfig/overviewsshposture-control-windows. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
add
 new Policy 2025-07-07 17:23:16 BuiltIn
Monitoring 11ac78e3-31bc-4f0c-8434-37ab963cea07 Dependency agent should be enabled for listed virtual machine images Reports virtual machines as non-compliant if the virtual machine image is in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2025-07-07 17:23:16 BuiltIn
App Service 72d04c29-f87d-4575-9731-419ff16a2757 App Service apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.1.0 > 3.2.0) 2025-07-01 17:24:08 BuiltIn
App Service 24b7a1c6-44fe-40cc-a2e6-242d2ef70e98 App Service app slots should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.1.0 > 1.2.0) 2025-07-01 17:24:08 BuiltIn
Guest Configuration e22a2f03-0534-4d10-8ea0-aa25a6113233 Configure SSH security posture for Linux (powered by OSConfig) This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Minor (1.0.1 > 1.1.0) 2025-06-19 17:23:14 BuiltIn
Guest Configuration 385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (1.2.0 > 1.3.0) 2025-06-19 17:23:14 BuiltIn
Guest Configuration 828ba269-bf7f-4082-83dd-633417bc391d Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2025-06-19 17:23:14 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview) 2025-06-19 17:23:14 BuiltIn
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (3.1.0 > 3.2.0) 2025-06-19 17:23:14 BuiltIn
Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed
deployIfNotExists 		count: 001
Guest Configuration Resource Contributor
change
 Minor (3.0.0 > 3.1.0) 2025-06-19 17:23:14 BuiltIn
Machine Learning 7f40cee6-e933-4d0f-a782-b96615e0f4a6 Azure Machine Learning workspaces should be encrypted with the use of a customer-managed key Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2025-06-19 17:23:14 BuiltIn
Guest Configuration 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 [Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2025-06-19 17:23:14 BuiltIn
Kubernetes 2630c91f-8a20-8f43-14a2-2485b648e2a9 Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS CA Certificate. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2025-06-13 17:23:19 BuiltIn
Kubernetes b8c1d6c1-6137-97c6-9c34-d4627e54ca26 Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2025-06-13 17:23:19 BuiltIn
Kubernetes b6c7fd52-4723-5f4d-a157-3d39bd16a1d7 Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2025-06-13 17:23:19 BuiltIn
Kubernetes 9e980dca-f3e1-8da3-6717-ad37b1ca6b27 Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a SSH private key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2025-06-13 17:23:19 BuiltIn
Kubernetes 5174c1db-ca42-e0d4-b320-4f1cf6a1fa93 Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires a Bucket SecretKey stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2025-06-13 17:23:19 BuiltIn
Search 4eb216f2-9dba-4979-86e6-5d7e63ce3b75 Configure Azure AI Search services to disable local authentication Disable local authentication methods so that your Azure AI Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Default
Modify
Allowed
Modify, Disabled 		count: 001
Search Service Contributor
change
 Major (1.0.1 > 2.0.0) 2025-06-13 17:23:19 BuiltIn
Kubernetes bf1a31be-3b79-5ba8-c9e0-9a8c9ad9f749 Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2025-06-13 17:23:19 BuiltIn
Kubernetes 83ea2fd1-9eaf-2f6d-f672-cd7b2ac798f6 Configure Kubernetes clusters with Flux v2 configuration using public Git repository Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires no secrets. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2025-06-13 17:23:19 BuiltIn
Kubernetes 40f1aee2-4db4-4b74-acb1-c6972e24cca8 Configure Node OS Auto upgrade on Azure Kubernetes Cluster Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor (1.1.0 > 1.2.0) 2025-06-13 17:23:19 BuiltIn
Storage 361c2074-3595-4e5d-8cab-4f21dffc835c [Deprecated]: Deploy Defender for Storage (Classic) on storage accounts This policy enables Defender for Storage (Classic) on storage accounts - This policy is deprecated. New enablements of the classic plan are no longer supported, effective February 5, 2025. Existing subscriptions and storage accounts already enabled with the classic plan can continue to use it. For more details, please refer to https://aka.ms/DF-Storage/NewPlanMigration. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) 2025-06-06 17:23:16 BuiltIn
Monitoring 1a94e687-23be-4c29-87a9-92c9cabae28f [Preview]: Data Collection Rules that target a specific workspace should use the specified Data Collection Endpoint Audit or deny the creation of DCRs that target a workspace and don't use the specified DCE Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-06-06 17:23:16 BuiltIn
Security Center 17bc14a7-92e1-4551-8b8c-80f36953e166 Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) Microsoft Defender for Storage provides Azure-native threat detection for storage accounts. This policy enables basic features (Activity Monitoring). For full protection, including Malware Scanning and Sensitive Data Discovery, use aka.ms/DFStoragePolicy. Major version update: PerTransaction is no longer supported for new enablements after Feb 5, 2025. Existing accounts using it remain supported. Learn more: aka.ms/DF-Storage/NewPlanMigration. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Major (1.1.0 > 2.0.0) 2025-06-06 17:23:16 BuiltIn
Security Center 74c30959-af11-47b3-9ed2-a26e03f427a3 [Deprecated]: Configure Microsoft Defender for Storage (Classic) to be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts - please note that deprecation is for commercial cloud only. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Minor, new suffix: deprecated (1.0.2 > 1.1.0-deprecated) 2025-06-06 17:23:16 BuiltIn
Media Services b4a7f6c1-585e-4177-ad5b-c2c93f4bb991 [Deprecated]: Configure Azure Media Services to use private DNS zones This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (4.4.0 > 4.5.0) 2025-06-03 17:23:32 BuiltIn
Media Services daccf7e4-9808-470c-a848-1c5b582a1afb [Deprecated]: Azure Media Services content key policies should use token authentication This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Monitoring 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 [Deprecated]: Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, new suffix: deprecated (3.9.0 > 3.10.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Media Services a77d8bb4-8d22-4bc1-a884-f582a705b480 [Deprecated]: Azure Media Services accounts should use an API that supports Private Link This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Media Services 9285c3de-d5fd-4225-86d4-027894b0c442 [Deprecated]: Azure Media Services should use customer-managed keys to encrypt data at rest This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.4.0 > 3.5.0) 2025-06-03 17:23:32 BuiltIn
Media Services ccf93279-9c91-4143-a841-8d1f21505455 [Deprecated]: Azure Media Services accounts that allow access to the legacy v2 API should be blocked This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.6.0 > 1.7.0) 2025-06-03 17:23:32 BuiltIn
Monitoring 32133ab0-ee4b-4b44-98d6-042180979d50 [Deprecated]: Log Analytics Extension should be enabled for listed virtual machine images This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.0.1-preview > 2.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Media Services 8bfe3603-0888-404a-87ff-5c1b6b4cc5e3 [Deprecated]: Azure Media Services accounts should disable public network access This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2025-06-03 17:23:32 BuiltIn
Media Services e9914afe-31cd-4b8a-92fa-c887f847d477 [Deprecated]: Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Media Services c5632066-946d-4766-9544-cd79bcc1286e [Deprecated]: Configure Azure Media Services with private endpoints This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 002
Network Contributor
•unknown Id
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.6.0 > 1.7.0) 2025-06-03 17:23:32 BuiltIn
Monitoring f47b5582-33ec-4c5c-87c0-b010a6b2e917 [Deprecated]: Virtual machines should be connected to a specified workspace This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.1.0 > 1.2.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.2.0 > 3.3.0) 2025-06-03 17:23:32 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.2.0 > 3.3.0) 2025-06-03 17:23:32 BuiltIn
Media Services 4a591bf5-918e-4a5f-8dad-841863140d61 [Deprecated]: Azure Media Services should use private link This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
Monitoring 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 [Deprecated]: Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (2.0.1 > 2.1.0-deprecated) 2025-06-03 17:23:32 BuiltIn
SQL c9299215-ae47-4f50-9c54-8a392f68a052 Public network access should be disabled for MySQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.2.0 > 2.3.0) 2025-05-22 17:43:25 BuiltIn
General 4e6c27d5-a6ee-49cf-b2b4-d8fe90fa2b8b [Preview]: Users must authenticate with multi-factor authentication to create or update resources This policy definition blocks resource create and update operations when the caller is not authenticated via MFA. For more information, visit https://aka.ms/mfaforazure. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-05-22 17:43:25 BuiltIn
General db4a9d17-db75-4f46-9fcb-9f9526604417 [Preview]: Users must authenticate with multi-factor authentication to delete resources This policy definition blocks resource delete operations when the caller is not authenticated via MFA. For more information, visit https://aka.ms/mfaforazure. Default
AuditAction
Allowed
AuditAction, DenyAction, Disabled
add
 new Policy 2025-05-22 17:43:25 BuiltIn
Security Center e71c1e29-9c76-4532-8c4b-cb0573b0014c ChangeTracking extension should be installed on your Linux virtual machine scale sets Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2025-05-16 17:48:43 BuiltIn
Security Center 1288c8d7-4b05-4e3a-bc88-9053caefc021 Configure ChangeTracking Extension for Linux virtual machine scale sets Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2025-05-16 17:48:43 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch, old suffix: preview (1.4.0-preview > 1.4.1) 2025-05-16 17:48:43 BuiltIn
ChangeTrackingAndInventory 8fd85785-1547-4a4a-bf90-d5483c9571c5 Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2025-05-16 17:48:43 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d2c Configure ChangeTracking Extension for Windows virtual machine scale sets Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2025-05-16 17:48:43 BuiltIn
ChangeTrackingAndInventory 4485d24b-a9d3-4206-b691-1fad83bc5007 Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch, old suffix: preview (1.1.0-preview > 1.1.1) 2025-05-16 17:48:43 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d00 ChangeTracking extension should be installed on your Windows virtual machine scale sets Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2025-05-16 17:48:43 BuiltIn
ChangeTrackingAndInventory 1142b015-2bd7-41e0-8645-a531afe09a1e Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2025-05-16 17:48:43 BuiltIn
Guest Configuration c633f6a2-7f8b-4d9e-9456-02f0f04f5505 Audit Windows machines that are not set to the specified time zone Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed
auditIfNotExists
change
 Major (3.0.0 > 4.0.0) 2025-05-16 17:48:43 BuiltIn
Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed
deployIfNotExists 		count: 001
Guest Configuration Resource Contributor
change
 Major (2.1.0 > 3.0.0) 2025-05-16 17:48:43 BuiltIn
BuiltInPolicyTest 36fd7371-8eb7-4321-9c30-a7100022d048 Requires resources to not have a specific tag. This is a versioning test built-in. Denies the creation of a resource that contains the given tag. Does not apply to resource groups. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.0.0 > 2.0.1) 2025-05-15 18:21:54 BuiltIn
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. Default
Deny
Allowed
Audit, Deny, Disabled
change
 Minor (2.1.1 > 2.2.0)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)		 2025-05-14 18:52:07 ALZ
App Service 75c42c42-dfb3-453d-8fd5-9f978e1b1106 Function app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. Note that this policy should only be applied to function apps that are not running on the Flex Consumption or Consumption hosting plans. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-05-06 19:40:34 BuiltIn
App Service f380edf5-de79-4862-bd57-ee407d8bd8b6 Function app slots should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Note that this policy should only be applied to function apps that are not running on the Flex Consumption or Consumption hosting plans. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-05-06 19:40:34 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (3.12.0 > 3.13.0) 2025-05-06 19:40:34 BuiltIn
Kubernetes cadd9445-aeb8-4ee4-b505-c279db2f737f Configure AKS clusters to automatically join the specified Azure Kubernetes Fleet Manager Detect and ensure that AKS clusters join a given Azure Kubernetes Fleet Manager. Optionally, select a look-up tag to specify what fleet update group to join. To learn more, visit https://aka.ms/kubernetes-fleet/policy Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Fleet Manager Contributor Role
Azure Kubernetes Service Contributor Role
add
 new Policy 2025-05-06 19:40:34 BuiltIn
Azure Update Manager 9905ca54-1471-49c6-8291-7582c04cd4d4 Set prerequisite for Scheduling recurring updates on Azure virtual machines. This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, old suffix: preview (1.1.0-preview > 1.2.0) 2025-05-06 19:40:34 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Minor (4.8.0 > 4.9.0) 2025-05-06 19:40:34 BuiltIn
Network 7bca8353-aa3b-429b-904a-9229c4385837 Subnets should be private Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2025-05-06 19:40:34 BuiltIn
App Service 5e57f5ad-995a-485b-9f42-4748935ee5d9 Function apps should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Note that this policy should only be applied to function apps that are not running on the Flex Consumption or Consumption hosting plans. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-05-06 19:40:34 BuiltIn
Monitoring a70ca396-0a34-413a-88e1-b956c1e683be [Deprecated]: Virtual machines should have the Log Analytics extension installed This policy definition is deprecated because of limited performance uplift possible and the usage of a legacy authentication model. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) 2025-05-06 19:40:34 BuiltIn
Kubernetes c7f49635-e3f0-4986-b072-90d0c7c3d4cd Azure Kubernetes Service clusters should be a member of an Azure Kubernetes Fleet Manager. Detect and report any AKS clusters that are not members of an Azure Kubernetes Fleet Manager. To learn more, visit https://aka.ms/kubernetes-fleet/policy Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled 		count: 001
Azure Kubernetes Service Contributor Role
add
 new Policy 2025-05-06 19:40:34 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.7.0 > 3.8.0) 2025-05-06 19:40:34 BuiltIn
Batch 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7 [Deprecated]: Metric alert rules should be configured on Batch accounts The Microsoft.Insights/alertRules resource type was deprecated. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-05-06 19:40:34 BuiltIn
Tags Audit-Tags-Mandatory-Rg Audit for mandatory tags on resource groups Audits resource groups to ensure they have required tags based on tag array. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2025-05-06 19:40:34 ALZ
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Minor (1.4.0 > 1.5.0) 2025-05-06 19:40:34 BuiltIn
App Service 32a913ec-5ed7-4b31-a5b0-198450d8fb13 Function apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. Note that this policy should only be applied to function apps that are not running on the Flex Consumption or Consumption hosting plans. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-05-06 19:40:34 BuiltIn
Backup 9e47cad9-bcdb-42dd-8c9b-a81e15ca2842 [Preview]: Configure backup for Azure Files Shares without a given tag to a new recovery services vault with a new policy Enforce backup for all Azure Files by deploying a recovery services vault in the same location and resource group as the storage account. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude Azure Files in storage accounts containing a specified tag to control the scope of assignment. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Backup Contributor
Storage Account Contributor
add
 new Policy 2025-04-28 19:51:35 BuiltIn
Backup e159e079-0ddd-4905-97c9-79a8fca6d880 [Preview]: Configure backup for Azure Files Shares without a given tag to an existing recovery services vault in the same location Enforce backup for all Azure Files by backing them up to an existing central recovery services vault in the same location and subscription as the storage account. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude Azure Files in storage accounts containing a specified tag to control the scope of assignment. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Backup Contributor
Storage Account Contributor
add
 new Policy 2025-04-28 19:51:35 BuiltIn
Backup f32ca068-2ada-4705-b5b5-84ce89422846 [Preview]: Configure backup for Azure Files Shares with a given tag to a new recovery services vault with a new policy Enforce backup for all Azure Files by deploying a recovery services vault in the same location and resource group as the storage account. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include Azure Files in storage accounts containing a specified tag to control the scope of assignment. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Backup Contributor
Storage Account Contributor
add
 new Policy 2025-04-28 19:51:35 BuiltIn
Backup d8659d5a-a3bd-444d-98ea-570bceb568cf [Preview]: Configure backup for Azure Files Shares with a given tag to an existing recovery services vault in the same location Enforce backup for all Azure Files by backing them up to an existing central recovery services vault in the same location and subscription as the storage account. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include Azure Files in storage accounts containing a specified tag to control the scope of assignment. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Backup Contributor
Storage Account Contributor
add
 new Policy 2025-04-28 19:51:35 BuiltIn
Machine Learning 6ddb1705-c8cf-450e-aa4b-19ad6703c440 Azure Machine Learning and Ai Studio should use Allow Only Approved Outbound Managed Vnet mode Managed VNet isolation streamlines and automates your network isolation configuration with a built-in, workspace-level Azure Machine Learning managed VNet. The managed VNet secures your managed Azure Machine Learning resources, such as compute instances, compute clusters, serverless compute, and managed online endpoints. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-04-28 19:51:35 BuiltIn
Kubernetes 021f8078-41a0-40e6-81b6-c6597da9f3ee [Preview]: Kubernetes cluster container images should not include latest image tag Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes 6bcd4321-fb89-4e3e-bf6c-999c13d47f43 [Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes 97de439f-fd35-4d43-a693-3644f51a51fd [Preview]: Sets Kubernetes cluster init containers securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2025-04-22 16:46:02 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.6.0 > 3.7.0) 2025-04-22 16:46:02 BuiltIn
Security Center e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 [Deprecated]: Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations, This policy is deprecated because it depends on the Azure Monitoring agent, which has also been deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch, suffix remains equal (3.2.0-deprecated > 3.2.1-deprecated) 2025-04-22 16:46:02 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.3.0 > 3.4.0) 2025-04-22 16:46:02 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes 5c58d54b-87f0-4dcd-83ea-e855fc988997 [Preview]: Sets UnhealthyPodEvictionPolicy to 'AlwaysAllow' Sets Pod Disruption Budget's UnhealthyPodEvictionPolicy to 'AlwaysAllow' to allow for evicting even unhealthy pods when performing cluster administration Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes a8e3ce3c-cac3-4402-a28a-03ee3ede9790 [Preview]: Sets Kubernetes cluster container securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes c812272d-7488-495f-a505-047d34b83f58 [Preview]: Mutate K8s Init Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes fed6510d-00b9-40db-a347-933125a6a327 [Preview]: Prevents init containers from being ran as root by setting runAsNotRoot to true. Setting runAsNotRoot to true increases security by preventing containers from being ran as root. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2025-04-22 16:46:02 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.3.0 > 3.4.0) 2025-04-22 16:46:02 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.4.1 > 4.5.0) 2025-04-22 16:46:02 BuiltIn
Kubernetes c873b3ba-c605-42e4-a64b-a142a93826fc [Preview]: Mutate K8s Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes fe74a23d-79e4-401c-bd0d-fd7a5b35af32 [Preview]: Sets Kubernetes cluster Pod securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes d77df159-718b-4aca-b94b-8e8890a98231 [Preview]: Sets Privilege escalation in the Pod spec to false. Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes e24df237-32cb-4a6c-a2f6-85b499cda9f2 [Preview]: Prints a message if a mutation is applied Looks up the mutation annotations applied and prints a message if annotation exists. Default
Audit
Allowed
Audit, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2025-04-22 16:46:02 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.8.0 > 3.9.0) 2025-04-22 16:46:02 BuiltIn
Kubernetes 57f274ef-580a-4ed2-bcf8-5c6fa3775253 [Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false. Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2025-04-22 16:46:02 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.4.1 > 4.5.0) 2025-04-22 16:46:02 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.6.0 > 3.7.0) 2025-04-22 16:46:02 BuiltIn
Kubernetes 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2025-04-22 16:46:02 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (6.5.1 > 6.6.0) 2025-04-22 16:46:02 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes 6f87d474-38a9-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes 4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8 [Preview]: Sets Privilege escalation in the Pod spec in init containers to false. Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2025-04-22 16:46:02 BuiltIn
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (4.1.0 > 4.2.0) 2025-04-22 16:46:02 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2025-04-22 16:46:02 BuiltIn
Kubernetes 2fe7ba7d-f670-41f5-8b70-b61dc7dfbe18 [Preview]: Prevents containers from being ran as root by setting runAsNotRoot to true. Setting runAsNotRoot to true increases security by preventing containers from being ran as root. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2025-04-22 16:46:02 BuiltIn
Security Center e16f967a-aa57-4f5e-89cd-8d1434d0a29a [Deprecated]: Azure Security agent should be installed on your Windows virtual machine scale sets Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.2.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Security Center 2f47ec78-4301-4655-b78e-b29377030cdc [Deprecated]: Configure supported Linux Arc machines to automatically install the Azure Security agent Configure supported Linux Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Linux Arc machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Search 76a56461-9dc0-40f0-82f5-2453283afa2f Azure AI Search services should use customer-managed keys to encrypt data at rest Enabling encryption at rest using a customer-managed key on your Azure AI Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2025-04-04 18:50:38 BuiltIn
Security Center 62b52eae-c795-44e3-94e8-1b3d264766fb [Deprecated]: Azure Security agent should be installed on your Linux virtual machine scale sets Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.1.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Security Center 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 [Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (7.0.0-preview > 7.1.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Security Center bb2c6c6d-14bc-4443-bef3-c6be0adc6076 [Deprecated]: Azure Security agent should be installed on your Windows virtual machines Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.2.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Security Center d01f3018-de9f-4d75-8dae-d12c1875da9f [Deprecated]: Configure supported Windows Arc machines to automatically install the Azure Security agent Configure supported Windows Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows Arc machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Security Center 808a7dc4-49f2-4e7b-af75-d14e561c244a [Deprecated]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.2.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Security Center e8794316-d918-4565-b57d-6b38a06381a0 [Deprecated]: Azure Security agent should be installed on your Linux virtual machines Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.1.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Search 356da939-f20a-4bb9-86f8-5db445b0e354 Configure Azure AI Search services to enforce customer-managed keys to encrypt data at rest Enabling encryption at rest using a customer-managed key on your Azure AI Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. Default
Deny
Allowed
Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2025-04-04 18:50:38 BuiltIn
Security Center 1f300abb-f5a0-41c3-a163-91bd3ed35de7 [Deprecated]: Azure Security agent should be installed on your Linux Arc machines Install the Azure Security agent on your Linux Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Security Center 1537496a-b1e8-482b-a06a-1cc2415cdc7b [Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (5.1.0-preview > 5.2.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Security Center 6654c8c4-e6f8-43f8-8869-54327af7ce32 [Deprecated]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.1.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Security Center 0367cfc4-90b3-46ba-a8a6-ddd5d3514878 [Deprecated]: Azure Security agent should be installed on your Windows Arc machines Install the Azure Security agent on your Windows Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2025-04-04 18:50:38 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (3.3.1 > 3.4.0) 2025-03-28 18:30:06 BuiltIn
SignalR 62a3ae95-8169-403e-a2d2-b82141448092 Modify Azure SignalR Service resources to disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Modify
Allowed
Modify, Disabled 		count: 001
SignalR/Web PubSub Contributor
change
 Minor (1.1.0 > 1.2.0) 2025-03-21 20:19:45 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor (4.1.0 > 4.2.0) 2025-03-21 20:19:45 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor (1.1.0 > 1.2.0) 2025-03-21 20:19:45 BuiltIn
SignalR 21a9766a-82a5-4747-abb5-650b6dbba6d0 Azure SignalR Service should disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.1.0 > 1.2.0) 2025-03-21 20:19:45 BuiltIn
Kubernetes 40f1aee2-4db4-4b74-acb1-c6972e24cca8 Configure Node OS Auto upgrade on Azure Kubernetes Cluster Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor (1.0.1 > 1.1.0) 2025-03-21 20:19:45 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor, suffix remains equal (1.0.5-preview > 1.1.0-preview) 2025-03-21 20:19:45 BuiltIn
Security Center 9345b7fb-67c5-496c-9f12-eaa74f676875 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL extension Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2025-03-17 18:27:39 BuiltIn
Security Center 813e1e44-914e-436d-a2ab-84c4529a6084 Assign System Assigned identity to SQL Virtual Machines Assign System Assigned identity at scale to Windows SQL virtual machines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Managed Identity Operator
Virtual Machine Contributor
add
 new Policy 2025-03-17 18:27:39 BuiltIn
Security Center e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 [Deprecated]: Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations, This policy is deprecated because it depends on the Azure Monitoring agent, which has also been deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (3.1.0 > 3.2.0-deprecated) 2025-03-07 18:28:00 BuiltIn
Storage db4f9b05-5ffd-4b34-b714-3c710dbb3fd6 Storage accounts should restrict network access using virtual network rules (excluding storage accounts created by Databricks) Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-03-03 18:38:02 BuiltIn
Container Apps 783ea2a8-b8fd-46be-896a-9ae79643a0b1 Container Apps should disable external network access Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.1 > 1.1.0) 2025-03-03 18:38:02 BuiltIn
Monitoring 1c210e94-a481-4beb-95fa-1571b434fb04 Deploy - Configure Dependency agent to be enabled on Windows virtual machines Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (3.2.0 > 3.3.0) 2025-03-03 18:38:02 BuiltIn
Storage fd9903f1-38c2-4d36-8e44-5c1c20c561e8 Storage accounts should prevent shared key access (excluding storage accounts created by Databricks) Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-03-03 18:38:02 BuiltIn
Kubernetes 5c58d54b-87f0-4dcd-83ea-e855fc988997 [Preview]: Sets UnhealthyPodEvictionPolicy to 'AlwaysAllow' Sets Pod Disruption Budget's UnhealthyPodEvictionPolicy to 'AlwaysAllow' to allow for evicting even unhealthy pods when performing cluster administration Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2025-03-03 18:38:02 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.3.0 > 1.4.0) 2025-03-03 18:38:02 BuiltIn
Storage 1604f626-4d8d-4124-8bb8-b1e5f95562de Storage accounts should use private link (excluding storage accounts created by Databricks) Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2025-03-03 18:38:02 BuiltIn
Monitoring 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.2.0 > 3.3.0) 2025-03-03 18:38:02 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.3.0 > 1.4.0) 2025-03-03 18:38:02 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor (1.0.4 > 1.1.0) 2025-03-03 18:38:02 BuiltIn
App Service 24b7a1c6-44fe-40cc-a2e6-242d2ef70e98 App Service app slots should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2025-02-25 18:38:37 BuiltIn
App Service 72d04c29-f87d-4575-9731-419ff16a2757 App Service apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.0.0 > 3.1.0) 2025-02-25 18:38:37 BuiltIn
Security Center ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default
Audit
Allowed
Audit, Disabled
change
 Minor (1.0.4 > 1.1.0) 2025-02-25 18:38:37 BuiltIn
Backup cfc5190a-3b19-4a23-b563-a4c719b666e4 [Preview]: Azure Backup should be enabled on Azure file shares Ensure protection of your Azure file shares by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2025-02-25 18:38:37 BuiltIn
Kubernetes dbbdc317-9734-4dd8-9074-993b29c69008 Azure Kubernetes Clusters should enable Key Management Service (KMS) Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption. Default
Audit
Allowed
Audit, Disabled
change
 Minor (1.0.0 > 1.1.0) 2025-02-25 18:38:37 BuiltIn
Security Center efd4031d-b232-4595-babf-ae817348e91b Configure Microsoft Defender for Containers plan New capabilities are continuously being added to Defender for Containers plan, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Minor (1.0.0 > 1.1.0) 2025-02-17 18:37:09 BuiltIn
Search ee980b6d-0eca-4501-8d54-f6290fd512c3 Azure AI Search services should disable public network access Disabling public network access improves security by ensuring that your Azure AI Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2025-02-17 18:37:09 BuiltIn
Search fbc14a67-53e4-4932-abcc-2049c6706009 Configure Azure AI Search services to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure AI Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Patch (1.0.0 > 1.0.1) 2025-02-17 18:37:09 BuiltIn
App Service 387140f1-6da9-4741-bcee-3b5edcdfd9ec Function apps should enable end to end encryption Enabling end to end encryption ensures front-end intra-cluster traffic between App Service front-ends and the workers running application workloads is encrypted. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-02-17 18:37:09 BuiltIn
Search 0fda3595-9f2b-4592-8675-4231d6fa82fe [Deprecated]: Azure AI Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AI Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Audit
Allowed
Audit, Disabled
change
 Patch, suffix remains equal (1.0.1-deprecated > 1.0.2-deprecated) 2025-02-17 18:37:09 BuiltIn
Search 356da939-f20a-4bb9-86f8-5db445b0e354 Configure Azure AI Search services to enforce customer-managed keys to encrypt data at rest Enabling encryption at rest using a customer-managed key on your Azure AI Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. Default
Deny
Allowed
Deny, Disabled
add
 new Policy 2025-02-17 18:37:09 BuiltIn
App Service 123aed70-491a-4f07-a569-e1f3a8dd651e App Service app slots should enable end to end encryption Enabling end to end encryption ensures front-end intra-cluster traffic between App Service front-ends and the workers running application workloads is encrypted. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-02-17 18:37:09 BuiltIn
App Service cbe0e5eb-fea9-491d-ab20-a62cf049c5ae Function app slots should enable end to end encryption Enabling end to end encryption ensures front-end intra-cluster traffic between App Service front-ends and the workers running application workloads is encrypted. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-02-17 18:37:09 BuiltIn
Search 76a56461-9dc0-40f0-82f5-2453283afa2f Azure AI Search services should use customer-managed keys to encrypt data at rest Enabling encryption at rest using a customer-managed key on your Azure AI Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2025-02-17 18:37:09 BuiltIn
Search 4eb216f2-9dba-4979-86e6-5d7e63ce3b75 Configure Azure AI Search services to disable local authentication Disable local authentication methods so that your Azure AI Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Default
Modify
Allowed
Modify, Disabled 		count: 001
Search Service Contributor
change
 Patch (1.0.0 > 1.0.1) 2025-02-17 18:37:09 BuiltIn
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled or public network access disabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs or disable public network access for your key vault so that it's not accessible over the public internet. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security and https://aka.ms/akvprivatelink Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.2.1 > 3.3.0) 2025-02-17 18:37:09 BuiltIn
Search a049bf77-880b-470f-ba6d-9f21c530cf83 Azure AI Search service should use a SKU that supports private link With supported SKUs of Azure AI Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2025-02-17 18:37:09 BuiltIn
Search 6300012e-e9a4-4649-b41f-a85f5c43be91 Azure AI Search services should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure AI Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure AI Search portal functionality since some features of the Portal use the GA API which does not support the parameter. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2025-02-17 18:37:09 BuiltIn
Search 9cee519f-d9c1-4fd9-9f79-24ec3449ed30 Configure Azure AI Search services to disable public network access Disable public network access for your Azure AI Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Modify
Allowed
Modify, Disabled 		count: 002
Network Contributor
Search Service Contributor
change
 Patch (1.0.0 > 1.0.1) 2025-02-17 18:37:09 BuiltIn
App Service af1d7e88-c1c8-4ea8-be1f-87bff0df9101 App Service apps should enable end to end encryption Enabling end to end encryption ensures front-end intra-cluster traffic between App Service front-ends and the workers running application workloads is encrypted. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-02-17 18:37:09 BuiltIn
Search b698b005-b660-4837-b833-a7aaab26ddba Configure Azure AI Search services with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure AI Search service, you can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Network Contributor
Search Service Contributor
change
 Patch (1.0.0 > 1.0.1) 2025-02-17 18:37:09 BuiltIn
BuiltInPolicyTest 125b7269-7ec9-47bf-8beb-8865b61c2c95 [Preview]: Append a tag and its value to resources - This built-in is created for versioning test. Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Default
Append
Allowed
Append, Disabled
add
 new Policy 2025-02-05 19:33:00 BuiltIn
Security Center 938c4981-c2c9-4168-9cd6-972b8675f906 Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. Default
Audit
Allowed
Audit, Disabled
change
 Minor (1.0.1 > 1.1.0) 2025-02-05 19:33:00 BuiltIn
Resilience 1bf67da8-b100-45bf-b89d-e4669fc54411 [Preview]: Azure Cache for Redis should be Zone Redundant Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array or zonalAllocationPolicy is set to 'NoZones' or the sku is 'Basic' are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2025-01-30 19:26:44 BuiltIn
Monitoring 594c1276-f44f-482d-9910-71fac2ce5ae0 [Deprecated]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.1.0-preview > 1.2.0-deprecated) 2025-01-30 19:26:44 BuiltIn
Monitoring bacd7fca-1938-443d-aad6-a786107b1bfb [Deprecated]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2025-01-30 19:26:44 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.7.0 > 1.8.0) 2025-01-30 19:26:44 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.5.0 > 1.6.0) 2025-01-30 19:26:44 BuiltIn
Tags Audit-Tags-Mandatory Audit for mandatory tags on resources Audits resources to ensure they have required tags based on tag array. Does not apply to resource groups. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-01-28 19:34:51 ALZ
Tags Audit-Tags-Mandatory-Rg Audit for mandatory tags on resource groups Audits resource groups to ensure they have required tags based on tag array. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2025-01-28 19:34:51 ALZ
Storage 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, old suffix: preview (3.1.0-preview > 3.1.1) 2025-01-21 21:08:24 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.3.0 > 2.3.1) 2025-01-21 21:08:24 BuiltIn
Security Center 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 [Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-01-21 19:02:36 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.5.0 > 1.6.0) 2025-01-21 19:02:36 BuiltIn
Managed Grafana cc4dfa24-c7df-47e4-80ff-3728adb3f9a0 Configure Azure Managed Grafana workspaces to disable service account Disable API keys and service account for automated workloads in Grafana workspace. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2025-01-21 19:02:36 BuiltIn
Security Center e3e008c3-56b9-4133-8fd7-d3347377402a [Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-01-21 19:02:36 BuiltIn
Compute 8405fdab-1faf-48aa-b702-999c9c172094 Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.0 > 2.1.0) 2025-01-21 19:02:36 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.8.0 > 1.9.0) 2025-01-21 19:02:36 BuiltIn
SQL c9299215-ae47-4f50-9c54-8a392f68a052 Public network access should be disabled for MySQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.1.0 > 2.2.0) 2025-01-21 19:02:36 BuiltIn
Security Center 931e118d-50a1-4457-a5e4-78550e086c52 [Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2025-01-21 19:02:36 BuiltIn
Monitoring 1f6e93e8-6b31-41b1-83f6-36e449a42579 Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (2.0.0 > 2.1.0) 2025-01-21 19:02:36 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.5.0 > 1.6.0) 2025-01-21 19:02:36 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.7.0 > 1.8.0) 2025-01-21 19:02:36 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.9.0 > 1.10.0) 2025-01-21 19:02:36 BuiltIn
Managed Grafana f757d603-5178-4168-ac45-5223f681023f Configure Azure Managed Grafana workspaces to disable email settings Disable SMTP settings configuration of email contact point for alerting in Grafana workspace. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2025-01-21 19:02:36 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.4.0 > 1.5.0) 2025-01-21 19:02:36 BuiltIn
Monitoring 04d53d87-841c-4f23-8a5b-21564380b55e Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (2.1.0 > 2.2.0) 2025-01-21 19:02:36 BuiltIn
Security Center f08f556c-12ff-464d-a7de-40cb5b6cccec Configure ChangeTracking Extension for Windows virtual machines Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, old suffix: preview (2.0.0-preview > 2.1.0) 2024-11-01 18:49:23 BuiltIn
ChangeTrackingAndInventory b6faa975-0add-4f35-8d1c-70bba45c4424 Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, old suffix: preview (1.0.0-preview > 1.1.0) 2024-11-01 18:49:23 BuiltIn
ChangeTrackingAndInventory bef2d677-e829-492d-9a3d-f5a20fda818f Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, old suffix: preview (1.0.0-preview > 1.1.0) 2024-11-01 18:49:23 BuiltIn
ChangeTrackingAndInventory ad1eeff9-20d7-4c82-a04e-903acab0bfc1 Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, old suffix: preview (1.1.0-preview > 1.2.0) 2024-11-01 18:49:23 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, old suffix: preview (1.5.0-preview > 1.6.0) 2024-11-01 18:49:23 BuiltIn
Security Center ec88097d-843f-4a92-8471-78016d337ba4 Configure ChangeTracking Extension for Linux virtual machines Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, old suffix: preview (2.0.0-preview > 2.1.0) 2024-11-01 18:49:23 BuiltIn
ChangeTrackingAndInventory ef9fe2ce-a588-4edd-829c-6247069dcfdb Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, old suffix: preview (1.0.0-preview > 1.1.0) 2024-10-31 18:50:28 BuiltIn
Security Center af6cd1bd-1635-48cb-bde7-5b15693900b9 [Deprecated]: Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-31 18:50:28 BuiltIn
Security Center 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 [Deprecated]: Endpoint protection should be installed on your machines To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-10-31 18:50:28 BuiltIn
Security Center 10caed8a-652c-4d1d-84e4-2805b7c07278 Configure ChangeTracking Extension for Linux Arc machines Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, old suffix: preview (2.0.0-preview > 2.1.0) 2024-10-31 18:50:28 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, old suffix: preview (1.3.0-preview > 1.4.0) 2024-10-31 18:50:28 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.7.0 > 1.8.0) 2024-10-31 18:50:28 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5192 Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, old suffix: preview (1.0.0-preview > 1.1.0) 2024-10-31 18:50:28 BuiltIn
Security Center 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 [Deprecated]: Endpoint protection health issues should be resolved on your machines Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-10-31 18:50:28 BuiltIn
ChangeTrackingAndInventory a7acfae7-9497-4a3f-a3b5-a16a50abbe2f Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, old suffix: preview (1.0.0-preview > 1.1.0) 2024-10-31 18:50:28 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.8.0 > 1.9.0) 2024-10-31 18:50:28 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4cd5 Configure ChangeTracking Extension for Windows Arc machines Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, old suffix: preview (2.0.0-preview > 2.1.0) 2024-10-31 18:50:28 BuiltIn
Security Center 26a828e1-e88f-464e-bbb3-c134a282b9de [Deprecated]: Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-31 18:50:28 BuiltIn
Security Center 1e378679-f122-4a96-a739-a7729c46e1aa [Deprecated]: Cloud Services (extended support) role instances should have an endpoint protection solution installed Protect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-10-31 18:50:28 BuiltIn
Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Patch (2.1.0 > 2.1.1) 2024-10-30 18:57:40 BuiltIn
App Service deb528de-8f89-4101-881c-595899253102 Function app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-10-25 17:51:35 BuiltIn
App Service f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.1 > 2.1.0) 2024-10-25 17:51:35 BuiltIn
App Service ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d Configure App Service apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Minor (1.0.1 > 1.1.0) 2024-10-25 17:51:35 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.3.0 > 9.4.0) 2024-10-25 17:51:35 BuiltIn
App Service f9d614c5-c173-4d56-95a7-b4437057d193 Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.1 > 2.1.0) 2024-10-25 17:51:35 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.3.0 > 9.4.0) 2024-10-25 17:51:35 BuiltIn
App Service 014664e7-e348-41a3-aeb9-566e4ff6a9df Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-10-25 17:51:35 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.3.0 > 9.4.0) 2024-10-25 17:51:35 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.3.0 > 9.4.0) 2024-10-25 17:51:35 BuiltIn
App Service fa3a6357-c6d6-4120-8429-855577ec0063 Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-10-25 17:51:35 BuiltIn
App Service 4ee5b817-627a-435a-8932-116193268172 App Service app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-10-25 17:51:35 BuiltIn
App Service 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 Configure Function apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Minor (1.0.1 > 1.1.0) 2024-10-25 17:51:35 BuiltIn
PostgreSQL 1d14b021-1bae-4f93-b36b-69695e14984a Disconnections should be logged for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2024-10-21 17:52:17 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-10-21 17:52:17 BuiltIn
PostgreSQL a43d5475-c569-45ce-a268-28fa79f4e87a PostgreSQL flexible servers should be running TLS version 1.2 or newer This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-10-21 17:52:17 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor (2.2.1 > 2.3.0) 2024-10-15 17:53:32 BuiltIn
Guest Configuration e22a2f03-0534-4d10-8ea0-aa25a6113233 Configure SSH security posture for Linux (powered by OSConfig) This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-10-15 17:53:32 BuiltIn
Machine Learning 12e5dd16-d201-47ff-849b-8454061c293d [Preview]: Azure Machine Learning Deployments should only use approved Registry Models Restrict the deployment of Registry models to control externally created models used within your organization Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-10-15 17:53:32 BuiltIn
Guest Configuration a8f3e6a6-dcd2-434c-b0f7-6f309ce913b4 Audit SSH security posture for Linux (powered by OSConfig) This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-10-15 17:53:32 BuiltIn
SQL Deploy-MySQL-sslEnforcement Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-10-10 01:17:21 ALZ
App Service Append-AppService-latestTLS AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. Default
Append
Allowed
Append, Disabled
change
 Minor (1.1.0 > 1.2.0) 2024-10-10 01:17:21 ALZ
SQL Deploy-SQL-minTLS SQL servers deploys a specific min TLS version requirement. Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Server Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-10-10 01:17:21 ALZ
Event Hub Deny-EH-minTLS Event Hub namespaces should use a valid TLS version Event Hub namespaces should use a valid TLS version. Default
Deny
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
SQL Deploy-PostgreSQL-sslEnforcement Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-10-10 01:17:21 ALZ
SQL Deny-Sql-minTLS Azure SQL Database should have the minimal TLS version set to the highest version Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
Cache Deny-Redis-http Azure Cache for Redis only secure connections should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default
Deny
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
Cache Append-Redis-sslEnforcement Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
Append
Allowed
Append, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
Networking Deploy-Private-DNS-Generic Deploy-Private-DNS-Generic Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Major (1.0.0 > 2.0.0) 2024-10-10 01:17:21 ALZ
SQL Deny-SqlMi-minTLS SQL Managed Instance should have the minimal TLS version set to the highest version Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
SQL Deploy-SqlMi-minTLS SQL managed instances deploy a specific min TLS version requirement. Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Managed Instance Contributor
change
 Minor (1.2.0 > 1.3.0) 2024-10-10 01:17:21 ALZ
Storage Deploy-Storage-sslEnforcement Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Storage Account Contributor
change
 Minor (1.2.0 > 1.3.0) 2024-10-10 01:17:21 ALZ
Network Deny-VNET-Peer-Cross-Sub Deny vNet peering cross subscription. This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope. Default
Deny
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.1 > 1.1.0) 2024-10-10 01:17:21 ALZ
SQL Deny-MySql-http MySQL database servers enforce SSL connections. Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
Deny
Allowed
Audit, Disabled, Deny
change
 Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
Security Center 123a3936-f020-408a-ba0c-47873faf1534 [Deprecated]: Allowlist rules in your adaptive application control policy should be updated Monitor changes in behavior on machines audited by Azure Security Center's adaptive application controls. Security Center uses machine learning to suggest known-safe applications as recommended apps. This policy is deprecated due to the deprecation of the Azure Monitoring agent. Learn more at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center 47a6b606-51aa-4496-8bb7-64b11cf66adc [Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define safe applications and get alerts for others, enhancing security. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 [Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center recommends NSG rules for Internet-facing VMs. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center 475aae12-b88a-4572-8b36-9b712b2b3a17 [Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription Azure Security Center collects VM data using the Log Analytics agent for security monitoring. Enable auto provisioning for automatic deployment. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center e8cbc669-f12d-49eb-93e7-9273119e9933 [Deprecated]: Vulnerabilities in container security configurations should be remediated Audit Docker security vulnerabilities and display recommendations in Azure Security Center. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 [Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks, This policy is deprecated because it depends on the Azure Monitoring agent, which has also been deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
App Configuration d242c24b-bac7-439e-8af7-22d7dcfd3c4f App Configuration should use geo-replication Use the geo-replication feature to create replicas in other locations of your current configuration store for enhanced resiliency and availability. Additionally, having multi-region replicas lets you better distribute load, lower latency, protect against datacenter outages, and compartmentalize globally distributed workloads. Learn more at: https://aka.ms/appconfig/geo-replication. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-10-07 17:51:17 BuiltIn
Container Apps d074ddf8-01a5-4b5e-a2b8-964aed452c0a Container Apps environment should disable public network access Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.1 > 1.1.0) 2024-10-07 17:51:17 BuiltIn
Security Center c3f317a7-a95c-4547-b7e7-11017ebdf2fe [Deprecated]: System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center 86b3d65f-7626-441e-b690-81a8b71cff60 [Deprecated]: System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (4.0.0 > 4.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Cache 1b1df1e6-d60f-4430-9390-2b0c83aae4a7 Configure Azure Cache for Redis Enterprise with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-09-27 17:51:42 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.2.0 > 2.3.0) 2024-09-24 17:50:47 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-09-24 17:50:47 BuiltIn
Machine Learning ba769a63-b8cc-4b2d-abf6-ac33c7204be8 Azure Machine Learning workspaces should be encrypted with a customer-managed key Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.3 > 1.1.0) 2024-09-18 17:50:24 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.6.0 > 1.7.0) 2024-09-10 17:48:30 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.4.0 > 1.5.0) 2024-09-10 17:48:30 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.3.0 > 1.4.0) 2024-09-10 17:48:30 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.6.0 > 1.7.0) 2024-09-10 17:48:30 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.7.0 > 1.8.0) 2024-09-10 17:48:30 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.4.0 > 1.5.0) 2024-09-10 17:48:30 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Minor, suffix remains equal (7.2.0-preview > 7.3.0-preview) 2024-09-10 17:48:30 BuiltIn
Health Deidentification Service d9b2d63d-a233-4123-847a-7f7e5f5d7e7a Azure Health Data Services de-identification service should use private link Azure Health Data Services de-identification service should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-09-10 17:48:30 BuiltIn
Health Deidentification Service c5f34731-7ab9-42ff-922d-ef4920068b74 Azure Health Data Services de-identification service should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-09-10 17:48:30 BuiltIn
Security Center 359a48a3-351a-4618-bb32-f1628645694b Configure Microsoft Defender threat protection for AI Services New capabilities are continuously being added to threat protection for AI Services, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
add
 new Policy 2024-09-02 17:49:45 BuiltIn
Kubernetes e1352e44-d34d-4e4d-a22e-451a15f759a1 Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://aka.ms/aks/planned-maintenance Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-09-02 17:49:45 BuiltIn
Kubernetes 2fe7ba7d-f670-41f5-8b70-b61dc7dfbe18 [Preview]: Prevents containers from being ran as root by setting runAsNotRoot to true. Setting runAsNotRoot to true increases security by preventing containers from being ran as root. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-08-26 18:17:33 BuiltIn
Kubernetes fed6510d-00b9-40db-a347-933125a6a327 [Preview]: Prevents init containers from being ran as root by setting runAsNotRoot to true. Setting runAsNotRoot to true increases security by preventing containers from being ran as root. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-08-26 18:17:33 BuiltIn
Cache 7473e756-98d9-4d10-9a22-8101ef32cd74 Configure Azure Cache for Redis Enterprise to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis Enterprise. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2024-08-20 18:21:51 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Minor (4.2.0 > 4.3.0) 2024-08-20 18:21:51 BuiltIn
Security Center f85bf3e0-d513-442e-89c3-1784ad63382b System updates should be installed on your machines (powered by Update Center) Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-08-20 18:21:51 BuiltIn
Cache 960e650e-9ce3-4316-9590-8ee2c016ca2f Azure Cache for Redis Enterprise should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-08-20 18:21:51 BuiltIn
Cache 09aa11bb-87ec-409f-bf0b-49b7c1561a87 Azure Cache for Redis Enterprise should use customer-managed keys for encrypting disk data Use customer-managed keys (CMK) to manage the encryption at rest of your on-disk data. By default, customer data is encrypted with platform-managed keys (PMK), but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/RedisCMK. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-08-20 18:21:51 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (4.4.0 > 4.4.1) 2024-08-20 18:21:51 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Minor, suffix remains equal (7.1.0-preview > 7.2.0-preview) 2024-08-20 18:21:51 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (2.2.0 > 2.2.1) 2024-08-20 18:21:51 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (4.5.0 > 4.5.1) 2024-08-20 18:21:51 BuiltIn
Cache 1b1df1e6-d60f-4430-9390-2b0c83aae4a7 Configure Azure Cache for Redis Enterprise with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2024-08-20 18:21:51 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (3.3.0 > 3.3.1) 2024-08-20 18:21:51 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (6.5.0 > 6.5.1) 2024-08-20 18:21:51 BuiltIn
Regulatory Compliance 9e1a2a94-cf7e-47de-b28e-d445ecc63902 Set file integrity rules in your organization CMA_M1000 - Set file integrity rules in your organization Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2024-08-20 18:21:51 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (3.3.0 > 3.3.1) 2024-08-20 18:21:51 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (4.4.0 > 4.4.1) 2024-08-20 18:21:51 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (2.2.0 > 2.2.1) 2024-08-20 18:21:51 BuiltIn
Kubernetes 57f274ef-580a-4ed2-bcf8-5c6fa3775253 [Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false. Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (9.2.0 > 9.3.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.1.0 > 6.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.1.0 > 5.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (9.1.0 > 9.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.1.0 > 2.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.1.0 > 7.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (8.1.0 > 8.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.1.1 > 6.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 6f87d474-38a9-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (2.2.0-preview > 2.3.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 1a3b9003-eac6-4d39-a184-4a567ace7645 [Preview]: Kubernetes cluster container images must include the preStop hook Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.1.1 > 6.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes ca8d5704-aa2b-40cf-b110-dc19052825ad Kubernetes clusters should minimize wildcard use in role and cluster role Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster. Default
Audit
Allowed
Audit, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.1.1 > 6.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes cf426bb8-b320-4321-8545-1b784a5df3a4 [Image Integrity] Kubernetes clusters should only use images signed by notation Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity Default
Audit
Allowed
Audit, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.2.0 > 6.3.0) 2024-08-09 18:17:47 BuiltIn
Network fe8a9af4-a003-4c7d-b7a4-b9808310c4f8 Public IPs and Public IP prefixes should have FirstPartyUsage tag Ensure all Public IP addresses and Public IP Prefixes have a FirstPartyUsage tag. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-08-09 18:17:47 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.1.0 > 7.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.1.1 > 7.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.2.0 > 3.3.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.1.1 > 7.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 077f0ce1-86d6-4058-bc60-de05067e8622 Kubernetes cluster Windows pods should not run HostProcess containers Prevent prviledged access to the windows node. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-08-09 18:17:47 BuiltIn
Kubernetes e24df237-32cb-4a6c-a2f6-85b499cda9f2 [Preview]: Prints a message if a mutation is applied Looks up the mutation annotations applied and prints a message if annotation exists. Default
Audit
Allowed
Audit, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.1.1 > 7.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes c873b3ba-c605-42e4-a64b-a142a93826fc [Preview]: Mutate K8s Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.1.0 > 4.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.1.1 > 5.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes d77df159-718b-4aca-b94b-8e8890a98231 [Preview]: Sets Privilege escalation in the Pod spec to false. Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.1.0 > 2.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.1.0 > 5.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 5485eac0-7e8f-4964-998b-a44f4f0c1e75 Kubernetes cluster Windows containers should not run as ContainerAdministrator Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.1.0 > 1.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.1.0 > 4.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.1.1 > 5.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.1.0 > 2.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (9.2.0 > 9.3.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.1.0 > 3.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.1.0 > 3.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (8.1.0 > 8.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 021f8078-41a0-40e6-81b6-c6597da9f3ee [Preview]: Kubernetes cluster container images should not include latest image tag Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Azure Load Testing d855fd7a-9be5-4d84-8b75-28d41aadc158 [Preview]: Load tests using Azure Load Testing should be run only against private endpoints from within a virtual network. Azure Load Testing engine instances should use virtual network injection for the following purposes: 1. Isolate Azure Load Testing engines to a virtual network. 2. Enable Azure Load Testing engines to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Load Testing engines. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-08-09 18:17:47 BuiltIn
Kubernetes a3dc4946-dba6-43e6-950d-f96532848c9f Kubernetes clusters should ensure that the cluster-admin role is only used where required The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed. Default
Audit
Allowed
Audit, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (8.1.1 > 8.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.1.0 > 5.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes c812272d-7488-495f-a505-047d34b83f58 [Preview]: Mutate K8s Init Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (8.1.0 > 8.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 6bcd4321-fb89-4e3e-bf6c-999c13d47f43 [Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
 Minor (3.1.0 > 3.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.1.0 > 6.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.2.0 > 2.3.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8 [Preview]: Sets Privilege escalation in the Pod spec in init containers to false. Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Cache 3827af20-8f80-4b15-8300-6db0873ec901 Azure Cache for Redis should not use access keys for authentication Not using local authentication methods like access keys and using more secure alternatives like Microsoft Entra ID (recommended) improves security for your Azure Cache for Redis. Learn more at aka.ms/redis/disableAccessKeyAuthentication Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-08-05 18:24:24 BuiltIn
Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.1.0 > 2.2.0) 2024-08-05 18:24:24 BuiltIn
Security Center 7e92882a-2f8a-4991-9bc4-d3147d40abb0 Enable threat protection for AI workloads Microsoft threat protection for AI workloads provides contextualized, evidence-based security alerts aimed at protecting home grown Generative AI powered applications Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2024-08-05 18:24:24 BuiltIn
Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed
deployIfNotExists 		count: 001
Virtual Machine Contributor
change
 Minor (5.0.0 > 5.1.0) 2024-07-30 18:18:24 BuiltIn
Monitoring deacecc0-9f84-44d2-bb82-46f32d766d43 Configure Dependency agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (2.0.0 > 2.1.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.2.2 > 1.3.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.3.0 > 4.4.0) 2024-07-30 18:18:24 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.5.0 > 3.6.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed
deployIfNotExists 		count: 001
Log Analytics Contributor
change
 Minor (5.0.0 > 5.1.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (6.4.0 > 6.5.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.5.0 > 3.6.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.2.0 > 3.3.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.2.0 > 3.3.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 08a4470f-b26d-428d-97f4-7e3e9c92b366 Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.1.2 > 1.2.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.1.0 > 3.2.0) 2024-07-30 18:18:24 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.2.2 > 1.3.0) 2024-07-30 18:18:24 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.7.0 > 3.8.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 84cfed75-dfd4-421b-93df-725b479d356a Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.1.2 > 1.2.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.7.0 > 3.8.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.1.1 > 3.2.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.3.0 > 4.4.0) 2024-07-30 18:18:24 BuiltIn
Security Center 3bc8a0d5-38e0-4a3d-a657-2cb64468fc34 Azure Defender for SQL should be enabled for unprotected MySQL flexible servers Audit MySQL flexible servers without Advanced Data Security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-07-30 18:18:24 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (3.1.1 > 3.2.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 1c210e94-a481-4beb-95fa-1571b434fb04 Deploy - Configure Dependency agent to be enabled on Windows virtual machines Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (3.1.0 > 3.2.0) 2024-07-30 18:18:24 BuiltIn
PostgreSQL 12c74c95-0efd-48da-b8d9-2a7d68470c92 PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-07-30 18:18:24 BuiltIn
Network 7bca8353-aa3b-429b-904a-9229c4385837 Subnets should be private Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-07-30 18:18:24 BuiltIn
Monitoring 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 Configure Dependency agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (2.0.0 > 2.1.0) 2024-07-30 18:18:24 BuiltIn
Search 0fda3595-9f2b-4592-8675-4231d6fa82fe [Deprecated]: Azure AI Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AI Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Audit
Allowed
Audit, Disabled
change
 Patch, new suffix: deprecated (1.0.0 > 1.0.1-deprecated) 2024-07-17 18:20:29 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.5.0 > 1.6.0) 2024-07-17 18:20:29 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Minor (1.3.0 > 1.4.0) 2024-07-17 18:20:29 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.5.0 > 1.6.0) 2024-07-17 18:20:29 BuiltIn
Cognitive Services cddd188c-4b82-4c48-a19d-ddf74ee66a01 [Deprecated]: Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
Audit
Allowed
Audit, Disabled
change
 Patch, new suffix: deprecated (3.0.0 > 3.0.1-deprecated) 2024-07-17 18:20:29 BuiltIn
Azure Ai Services d6759c02-b87f-42b7-892e-71b3f471d782 Azure AI Services resources should use Azure Private Link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://aka.ms/AzurePrivateLink/Overview Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-07-17 18:20:29 BuiltIn
Kubernetes c812272d-7488-495f-a505-047d34b83f58 [Preview]: Mutate K8s Init Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-07-15 18:22:44 BuiltIn
Kubernetes c873b3ba-c605-42e4-a64b-a142a93826fc [Preview]: Mutate K8s Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-07-15 18:22:44 BuiltIn
Security Center ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.3 > 1.0.4) 2024-07-09 18:20:14 BuiltIn
Network 794d77cc-fe65-4801-8514-230c0be387a8 Azure Firewall Classic Rules should be migrated to Firewall Policy Migrate from Azure Firewall Classic Rules to Firewall Policy to utilize central management tools such as Azure Firewall Manager. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Network dfb5ac92-ce74-4dbc-81fa-87243e62d5d3 Azure Firewall Policy Analytics should be Enabled Enabling Policy Analytics provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes 57f274ef-580a-4ed2-bcf8-5c6fa3775253 [Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false. Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Network da79a7e2-8aa1-45ed-af81-ba050c153564 Azure Firewall Policy should enable Threat Intelligence Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Guest Configuration 4078e558-bda6-41fb-9b3c-361e8875200d [Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (2.0.0 > 2.1.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Network 72923a3a-e567-46d3-b3f9-ffb2462a1c3a Virtual Hubs should be protected with Azure Firewall Deploy an Azure Firewall to your Virtual Hubs to protect and granularly control internet egress and ingress traffic. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Network 3f84c9b0-8b64-4208-98d4-6ada96bb49c3 Azure Firewall Policy should have DNS Proxy Enabled Enabling DNS Proxy will make the Azure Firewall associated with this policy to listen on port 53 and forward the DNS requests to specified DNS server Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes d77df159-718b-4aca-b94b-8e8890a98231 [Preview]: Sets Privilege escalation in the Pod spec to false. Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes 6f87d474-38a9-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Network 3e1f521a-d037-4709-bdd6-1f532f271a75 Azure Firewall should be deployed to span multiple Availability Zones For increased availability we recommend deploying your Azure Firewall to span multiple Availability Zones. This ensures that your Azure Firewall will remain available in the event of a zone failure. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Guest Configuration 1e7fed80-8321-4605-b42c-65fc300f23a3 [Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.1.0 > 1.2.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Security Center a4fe33eb-e377-4efb-ab31-0784311bc499 [Deprecated]: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Network 7c591a93-c34c-464c-94ac-8f9f9a46e3d6 Azure Firewall Standard - Classic Rules should enable Threat Intelligence Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes 97de439f-fd35-4d43-a693-3644f51a51fd [Preview]: Sets Kubernetes cluster init containers securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes a8e3ce3c-cac3-4402-a28a-03ee3ede9790 [Preview]: Sets Kubernetes cluster container securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Security Center a3a6ea0c-e018-4933-9ef0-5aaa1501449b [Deprecated]: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Kubernetes 6bcd4321-fb89-4e3e-bf6c-999c13d47f43 [Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes e24df237-32cb-4a6c-a2f6-85b499cda9f2 [Preview]: Prints a message if a mutation is applied Looks up the mutation annotations applied and prints a message if annotation exists. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Kubernetes 4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8 [Preview]: Sets Privilege escalation in the Pod spec in init containers to false. Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Network 8c19196d-7fd7-45b2-a9b4-7288f47c769a Azure Firewall Standard should be upgraded to Premium for next generation protection If you are looking for next generation protection like IDPS and TLS inspection, you should consider upgrading your Azure Firewall to Premium sku. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes fe74a23d-79e4-401c-bd0d-fd7a5b35af32 [Preview]: Sets Kubernetes cluster Pod securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-07-09 18:20:14 BuiltIn
Managed Grafana a08f2347-fe9c-482b-a944-f6a0e05124c0 Azure Managed Grafana workspaces should disable Grafana Enterprise upgrade Disables Grafana Enterprise upgrade in Grafana workspace. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-28 18:15:04 BuiltIn
Managed Grafana 3a97e513-f75e-4230-8137-1efad4eadbbc Azure Managed Grafana workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2024-06-28 18:15:04 BuiltIn
Managed Grafana b6752a42-6fc3-46cb-8a15-33aa109407b1 Azure Managed Grafana workspaces should disable email settings Disables SMTP settings configuration of email contact point for alerting in Grafana workspace. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-28 18:15:04 BuiltIn
Managed Grafana 0656cf40-485c-427b-b992-703a4ecf4f88 Azure Managed Grafana workspaces should disable service account Disables API keys and service account for automated workloads in Grafana workspace. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-28 18:15:04 BuiltIn
Managed Grafana bc33de80-97cd-4c11-b6b4-d075e03c7d60 Configure Azure Managed Grafana workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2024-06-28 18:15:04 BuiltIn
Kubernetes 28257686-e9db-403e-b9e2-a5eecbe03da9 Azure Kubernetes Clusters should disable SSH Disable SSH gives you the ability to secure your cluster and reduce the attack surface. To learn more, visit: aka.ms/aks/disablessh Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-06-24 18:15:26 BuiltIn
Network 632d3993-e2c0-44ea-a7db-2eca131f356d [Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway This policy is deprecated because sometimes it is impractical to enable all WAF rules. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network f516dc7a-4543-4d40-aad6-98f76a706b50 [Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Guest Configuration b3248a42-b1c1-41a4-87bc-8bad3d845589 Windows machines should enable Windows Defender Real-time protection Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2024-06-14 18:20:16 BuiltIn
Network 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 [Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
PostgreSQL 12c74c95-0efd-48da-b8d9-2a7d68470c92 PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-14 18:20:16 BuiltIn
PostgreSQL 78ed47da-513e-41e9-a088-e829b373281d Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace Deploys the diagnostic settings for PostgreSQL flexible servers to stream to a regional Log Analytics workspace when any PostgreSQL flexible servers which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2024-06-14 18:20:16 BuiltIn
Guest Configuration 2454bbee-dc19-442f-83fc-7f3114cafd91 [Deprecated]: Windows machines should use the default NTP server This policy is deprecated because Microsoft 365 App Compliance Program no longer checks the default NTP server on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network 711c24bb-7f18-4578-b192-81a6161e1f17 [Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network a58ac66d-92cb-409c-94b8-8e48d7a96596 [Deprecated]: Azure firewall policy should enable TLS inspection within application rules This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
PostgreSQL a43d5475-c569-45ce-a268-28fa79f4e87a PostgreSQL flexible servers should be running TLS version 1.2 or newer This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-06-14 18:20:16 BuiltIn
PostgreSQL ce39a96d-bf09-4b60-8c32-e85d52abea0f A Microsoft Entra administrator should be provisioned for PostgreSQL flexible servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL flexible server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-06-14 18:20:16 BuiltIn
Guest Configuration d96163de-dbe0-45ac-b803-0e9ca0f5764e Windows machines should configure Windows Defender to update protection signatures within one day To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2024-06-14 18:20:16 BuiltIn
Network f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf [Deprecated]: Subscription should configure the Azure Firewall Premium to provide additional layer of protection This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 [Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day This policy is deprecated because Microsoft 365 App Compliance Program no longer checks schedule frequency on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.2.0 > 1.3.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network 6484db87-a62d-4327-9f07-80a2cbdf333a [Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.0.1 > 3.1.0) 2024-06-14 18:20:16 BuiltIn
PostgreSQL 4eb5e667-e871-4292-9c5d-8bbb94e0c908 Auditing with PgAudit should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment which is not enabled to use pgaudit. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-06-14 18:20:16 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.4.0 > 1.5.0) 2024-06-10 18:18:08 BuiltIn
Security Center Deploy-ASC-SecurityContacts Deploy Microsoft Defender for Cloud Security Contacts Deploy Microsoft Defender for Cloud Security Contacts Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Major (1.1.0 > 2.0.0) 2024-06-10 18:18:08 ALZ
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.6.0 > 1.7.0) 2024-06-10 18:18:08 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.5.0 > 1.6.0) 2024-06-10 18:18:08 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.6.0 > 1.7.0) 2024-06-10 18:18:08 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Minor (4.1.0 > 4.2.0) 2024-06-10 18:18:08 BuiltIn
DevOpsInfrastructure 0d6d79a8-8406-4e87-814d-2dcd83b2c355 [Preview]: Microsoft Managed DevOps Pools should be provided with valid subnet resource in order to configure with own virtual network. Disallows creating Pool resources if a valid subnet resource is not provided. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-10 18:18:08 BuiltIn
General DenyAction-DeleteResources Do not allow deletion of specified resource and resource type This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect. Default
DenyAction
Allowed
DenyAction, Disabled
add
 new Policy 2024-06-06 18:16:12 ALZ
Logic Apps Deploy-LogicApp-TLS Configure Logic apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-LocalUser Local users should be restricted for Storage Accounts Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Bastion [Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Databricks [Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WVDHostPools [Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Function [Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ApiForFHIR [Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-SQLMI [Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-SQL-DefenderSQL-DCR [Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn		 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-LogicAppsISE [Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Event Hub Deny-EH-Premium-CMK Event Hub namespaces (Premium) should use a customer-managed key for encryption Event Hub namespaces (Premium) should use a customer-managed key for encryption. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-RedisCache [Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-EventGridTopic [Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Logic Apps Deny-LogicApps-Without-Https Logic app should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Network Deny-AppGw-Without-Tls Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2 This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2 Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VNetGW [Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WebServerFarm [Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Guest Configuration e22a2f03-0534-4d10-8ea0-aa25a6113233 Configure SSH security posture for Linux (powered by OSConfig) This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
add
 new Policy 2024-06-03 17:39:43 BuiltIn
Network Deny-Service-Endpoints Deny or Audit service endpoints on subnets This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ApplicationGateway [Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-NetworkAclsBypass Network ACL bypass option should be restricted for Storage Accounts Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Logic Apps Deny-LogicApp-Public-Network Logic apps should disable public network access Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-LoadBalancer [Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-MediaService [Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-TrafficManager [Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-Arc-Sql-DefenderSQL-DCR [Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (63d03cbd-47fd-4ee1-8a1c-9ddf07303de0) BuiltIn		 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Relay [Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-SQLElasticPools [Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Event Hub Deny-EH-minTLS Event Hub namespaces should use a valid TLS version Event Hub namespaces should use a valid TLS version. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Network Deny-AzFw-Without-Policy Azure Firewall should have a default Firewall Policy This policy denies the creation of Azure Firewall without a default Firewall Policy. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-CopyScope Allowed Copy scope should be restricted for Storage Accounts Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ResourceAccessRulesTenantId Resource Access Rules Tenants should be restricted for Storage Accounts Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-MySQL [Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-AVDScalingPlans [Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Firewall [Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-NetworkSecurityGroups [Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-APIMgmt [Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ContainerDeleteRetentionPolicy Storage Accounts should use a container delete retention policy Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-DLAnalytics [Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-SQL-AMA [Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Azure Monitor Agent (f91991d1-5383-4c95-8ee5-5ac423dd8bb1) BuiltIn		 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ResourceAccessRulesResourceId Resource Access Rules resource IDs should be restricted for Storage Accounts Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Network Audit-PrivateLinkDnsZones Audit or Deny the creation of Private Link Private DNS Zones This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.1 > 1.0.2) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ACR [Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-DataExplorerCluster [Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VirtualNetwork [Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-HDInsight [Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-DataFactory [Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-LogAnalytics [Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Cost Optimization Audit-PublicIpAddresses-UnusedResourcesCostOptimization Unused Public IP addresses driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. Default
Audit
Allowed
Audit, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-EventGridSub [Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-MlWorkspace [Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-SQL-DefenderSQL [Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL (ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) BuiltIn		 2024-06-03 17:39:43 ALZ
Security Center 0961003e-5a0a-4549-abde-af6a37f2724d [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (2.0.3 > 2.1.0-deprecated) 2024-06-03 17:39:43 BuiltIn
SQL fa498b91-8a7e-4710-9578-da944c68d1fe [Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure PostgreSQL flexible server can exclusively be accessed by Microsoft Entra identities. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-06-03 17:39:43 BuiltIn
Monitoring Deploy-Diagnostics-PowerBIEmbedded [Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ServicesEncryption Encryption for storage services should be enforced for Storage Accounts Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-AnalysisService [Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
API Management Deny-APIM-TLS API Management services should use TLS version 1.2 Azure API Management service should use TLS version 1.2 Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-EventGridSystemTopic [Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Cognitive Services Deny-CognitiveServices-NetworkAcls Network ACLs should be restricted for Cognitive Services Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ExpressRoute [Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-AA [Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-PostgreSQL [Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2024-06-03 17:39:43 ALZ
Networking Deploy-Private-DNS-Generic Deploy-Private-DNS-Generic Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-CosmosDB [Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Website [Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-FrontDoor [Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-CDNEndpoints [Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Cognitive Services Deny-CognitiveServices-RestrictOutboundNetworkAccess Outbound network access should be restricted for Cognitive Services Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ACI [Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Network Modify-NSG Enforce specific configuration of Network Security Groups (NSG) This policy enforces the configuration of Network Security Groups (NSG). Default
Modify
Allowed
Modify, Disabled 		count: 001
Network Contributor
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-iotHub [Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-NetworkAclsVirtualNetworkRules Virtual network rules should be restricted for Storage Accounts Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-SignalR [Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Cognitive Services Deny-CognitiveServices-Resource-Kinds Only explicit kinds for Cognitive Services should be allowed Azure Cognitive Services should only create explicit allowed kinds. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
App Service Deny-AppService-without-BYOC App Service certificates must be stored in Key Vault App Service (including Logic apps and Function apps) must use certificates stored in Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VWanS2SVPNGW [Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-Arc-SQL-DCR-Association [Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR (2227e1f1-23dd-4c3a-85a9-7024a401d8b2) BuiltIn		 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WVDAppGroup [Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-NIC [Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-CognitiveServices [Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Managed Identity Deploy-UserAssignedManagedIdentity-VMInsights [Deprecated]: Deploy User Assigned Managed Identity for VM Insights Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-minTLS [Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html Default
Deny
Allowed
Audit, Deny, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Policy (fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9) 		2024-06-03 17:39:43 ALZ
Network Modify-UDR Enforce specific configuration of User-Defined Routes (UDR) This policy enforces the configuration of User-Defined Routes (UDR) within a subnet. Default
Modify
Allowed
Modify, Disabled 		count: 001
Network Contributor
add
 new Policy 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-CorsRules Storage Accounts should restrict CORS rules Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VMSS [Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-TimeSeriesInsights [Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WVDWorkspace [Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VM [Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
PostgreSQL 5375a5bb-22c6-46d7-8a43-83417cfb4460 Private endpoint should be enabled for PostgreSQL flexible servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL 086709ac-11b5-478d-a893-9567a16d2ae3 Log connections should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_connections setting enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL dacf07fa-0eea-4486-80bc-b93fae88ac40 Connection throttling should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL c29c38cb-74a7-4505-9a06-e588ab86620a Enforce SSL connection should be enabled for PostgreSQL flexible servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL flexible server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database flexible server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your PostgreSQL flexible server. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-05-27 16:38:31 BuiltIn
Cosmos DB 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default
Deny
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.0 > 2.1.0) 2024-05-27 16:38:31 BuiltIn
PostgreSQL 70be9e12-c935-49ac-9bd8-fd64b85c1f87 Log checkpoints should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_checkpoints setting enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL cee2f9fd-3968-44be-a863-bd62c9884423 Geo-redundant backup should be enabled for Azure Database for PostgreSQL flexible servers Azure Database for PostgreSQL flexible servers allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL 1d14b021-1bae-4f93-b36b-69695e14984a Disconnections should be logged for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-05-27 16:38:31 BuiltIn
Azure Update Manager 9905ca54-1471-49c6-8291-7582c04cd4d4 Set prerequisite for Scheduling recurring updates on Azure virtual machines. This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-05-27 16:38:31 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (3.10.0 > 3.12.0) 2024-05-27 16:38:31 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.4.0-preview > 1.5.0-preview) 2024-05-17 18:03:56 BuiltIn
ChangeTrackingAndInventory 4485d24b-a9d3-4206-b691-1fad83bc5007 Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-05-17 18:03:56 BuiltIn
ChangeTrackingAndInventory ad1eeff9-20d7-4c82-a04e-903acab0bfc1 Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-05-17 18:03:56 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview) 2024-05-17 18:03:56 BuiltIn
Cosmos DB 12339a85-a25c-4f17-9f82-4766f13f5c4c Azure Cosmos DB accounts should not allow traffic from all Azure data centers Disallow the IP Firewall rule, '0.0.0.0', which allows for all traffic from any Azure data centers. Learn more at https://aka.ms/cosmosdb-firewall Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-05-17 18:03:56 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Minor (1.2.0 > 1.3.0) 2024-05-13 17:44:58 BuiltIn
Security Center 6e2593d9-add6-4083-9c9b-4b7d2188c899 Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.1.0 > 1.2.0) 2024-05-13 17:44:58 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.3.0 > 1.4.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (6.3.0 > 6.4.0) 2024-05-13 17:44:58 BuiltIn
Backup bdff5235-9f40-4a32-893f-38a03d5d607c [Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag. Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Owner
add
 new Policy 2024-05-13 17:44:58 BuiltIn
Guest Configuration a8f3e6a6-dcd2-434c-b0f7-6f309ce913b4 Audit SSH security posture for Linux (powered by OSConfig) This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-05-13 17:44:58 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.6.0 > 3.7.0) 2024-05-13 17:44:58 BuiltIn
Backup 9a021087-bba6-42fd-b535-bba75297566b [Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag. Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Owner
add
 new Policy 2024-05-13 17:44:58 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.3.0 > 1.4.0) 2024-05-13 17:44:58 BuiltIn
Backup 6e68865f-f3cd-48ec-9bba-54795672eaa4 [Preview]: Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region Enforce backup for all Azure Disks (Managed Disks) that do not contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Backup Contributor
add
 new Policy 2024-05-13 17:44:58 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.2.0 > 1.3.0) 2024-05-13 17:44:58 BuiltIn
Backup 7b5a3b1d-d2e1-4c0b-9f3b-ad0b9a2283f4 [Preview]: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region Enforce backup for all Azure Disks (Managed Disks) that contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Backup Contributor
add
 new Policy 2024-05-13 17:44:58 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.2.0 > 4.3.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.2.0 > 4.3.0) 2024-05-13 17:44:58 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.6.0 > 3.7.0) 2024-05-13 17:44:58 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.5.0 > 1.6.0) 2024-05-13 17:44:58 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.5.0 > 1.6.0) 2024-05-13 17:44:58 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Monitoring c84e5349-db6d-4769-805e-e14037dab9b5 Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-05-13 17:44:58 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.5.0 > 1.6.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 50d96640-65c9-42de-b79a-95c1890c6ec8 Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkfunction/azuretrafficcollectors. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2853b2ac-3ce0-4e51-a1e3-086591e7028a Enable logging by category group for Relays (microsoft.relay/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Relays (microsoft.relay/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c5ecf495-6caa-445c-b431-04fda56c555a Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for ExpressRoute circuits (microsoft.network/expressroutecircuits). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bbf47f27-95e4-46a0-82e1-898ce046d857 Enable logging by category group for microsoft.azuresphere/catalogs to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.azuresphere/catalogs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9ba29e83-863d-4fec-81d0-16dd87067cc3 Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3d9b8097-326d-4675-8cff-cce4580c9208 Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3dd58519-427e-42a4-8ffc-e415a3c716f1 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f018b68f-d953-4238-81a3-94a0f39507e3 Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SCOPE pools (microsoft.synapse/workspaces/scopepools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2453e322-a7e5-4905-ba1e-ac6ea60ff808 Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 14681907-c749-4d60-8eae-1038537fb8a3 Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring edf35972-ed56-4c2f-a4a1-65f0471ba702 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 7860f3fe-0db3-42d4-bf3d-7042ea5e5787 Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbformysql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6af023b1-4841-4b54-8f3d-69caa4e558cb Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application groups (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 76539a09-021e-4300-953b-4c6018ac26dc Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 1aa5a06a-0cee-4598-8200-94755d500381 Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ca05d7f2-6625-4cc3-a65a-4931b45ff139 Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bot Services (microsoft.botservice/botservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ee64264d-f9e3-4a0e-bbe2-db4319aeaf42 Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Endpoints (microsoft.cdn/profiles/endpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b90ec596-faa6-4c61-9515-34085703e260 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 47f4c5ae-1b43-4620-bcbd-65e2ee6fb7c8 Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9fcae8ed-246a-407b-8f75-f3500ff2c9db Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Batch accounts (microsoft.batch/batchaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1859cd03-7f77-495d-a0ce-336a36a6830d Enable logging by category group for Application Insights (microsoft.insights/components) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application Insights (microsoft.insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 69214fad-6742-49a9-8f71-ee9d269364ab Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0925a080-ab8d-44a1-a39c-61e184b4d8f9 Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 8d253bba-a338-4fd9-9752-6b6edadca1eb Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 8def4bdd-4362-4ed6-a26f-7bf8f2c58839 Enable logging by category group for Search services (microsoft.search/searchservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Search services (microsoft.search/searchservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3d28ea18-8e88-4160-96ff-4b6af4fd94c7 Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for HPC caches (microsoft.storagecache/caches). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3227dfd8-3536-4336-94c9-78633be6baa2 Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Analysis Services (microsoft.analysisservices/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 73baf464-93bb-450f-bda5-209c16d28dc3 Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1d98c506-1460-4424-9006-84210fa5214a Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 40f0d036-d73d-45a9-8c3d-f3f84d227193 Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Batch accounts (microsoft.batch/batchaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 75a112bc-759f-4f29-83cc-799019db39c3 Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Load Testing (microsoft.loadtestservice/loadtests). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 55d1f543-d1b0-4811-9663-d6d0dbc6326d Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 824142d3-eccb-4b7c-8403-319610811237 Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data collection rules (microsoft.insights/datacollectionrules). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 145ff119-bfcf-443a-834c-b59859ec3ee7 Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Caches (microsoft.cache/redisenterprise/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 34705075-71e2-480c-a9cb-6e9387f47f0f Enable logging by category group for Relays (microsoft.relay/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Relays (microsoft.relay/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 434b25a4-5396-41ec-97aa-1f4ae3bf269d Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Analysis Services (microsoft.analysisservices/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a474a6be-35da-4c8a-ae97-f97d03bbd213 Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dev centers (microsoft.devcenter/devcenters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 93a604fe-0ec2-4a99-ab8c-7ef08f05555a Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 1cd30d13-d34c-4cb8-8f9d-4692f7d40d97 Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Chaos Experiments (microsoft.chaos/experiments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5798b390-1b02-47b7-88fb-90adf07e8d1b Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 72d254bb-d0ed-42f2-9160-6b11b65b599c Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1568dd08-cca0-4073-bfd8-e08a7fdc543e Enable logging by category group for microsoft.workloads/sapvirtualinstances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.workloads/sapvirtualinstances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 42e5ad1f-57fd-49a7-b0e4-c7a7ae25ba3d Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 63f9b4b2-de99-4b16-ad94-1a5464ac4f7d Enable logging by category group for microsoft.synapse/workspaces/kustopools to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.synapse/workspaces/kustopools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring eb5a4c26-04cb-4ab1-81cb-726dc58df772 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3ca36b5c-2f29-41a0-9b1d-80e2cdf2d947 Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Load balancers (microsoft.network/loadbalancers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 76e7a3b8-3822-4ca2-92d8-c20616fd870b Enable logging by category group for microsoft.powerbi/tenants/workspaces to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.powerbi/tenants/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8ea88471-98e1-47e4-9f63-838c990ba2f4 Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Scaling plans (microsoft.desktopvirtualization/scalingplans). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 167dbbbc-a03a-4ebe-8e46-c34cc67f7d9d Enable logging by category group for microsoft.d365customerinsights/instances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.d365customerinsights/instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 84d8a69f-788a-4025-ba96-f36406cc9ee5 Enable logging by category group for microsoft.machinelearningservices/registries to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/registries. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 614d9fbd-68cd-4832-96db-3362069661b2 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring baa4c6de-b7cf-4b12-b436-6e40ef44c8cb Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network security groups (microsoft.network/networksecuritygroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b9b976cc-59ef-468a-807e-19afa2ebfd52 Enable logging by category group for microsoft.network/p2svpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 9756f174-ca74-4d7a-a56e-7104d8a954b0 Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Communication Services (microsoft.communication/communicationservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 65a1573e-cc90-412b-8db2-ba60731b0ea6 Enable logging by category group for microsoft.customproviders/resourceproviders to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.customproviders/resourceproviders. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5fbd326d-328c-414e-a922-2d6963998962 Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9b6f89db-876b-4156-9f9b-f29dcf302ad2 Enable logging by category group for microsoft.azuresphere/catalogs to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.azuresphere/catalogs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6b359d8f-f88d-4052-aa7c-32015963ecc1 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 041fdf14-0dd4-4ce0-83ff-de5456be0c85 Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MySQL servers (microsoft.dbformysql/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0fff3e39-f422-45b0-b497-33a05b996d3e Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid System Topics (microsoft.eventgrid/systemtopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0628b917-d4b4-4af5-bc2b-b4f87cd173ab Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 8d42b501-dd03-449d-a070-32d1db2e546b Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed databases (microsoft.sql/managedinstances/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 56ae9f08-b8c9-4a0f-8f58-5dbcd63bef84 Enable logging by category group for Relays (microsoft.relay/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Relays (microsoft.relay/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 454c7d4b-c141-43f1-8c81-975ebb15a9b5 Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Databricks Services (microsoft.databricks/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cd0a772a-62ba-4295-8311-d6710ebe967b Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data collection rules (microsoft.insights/datacollectionrules). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 71153be3-4742-4aae-9aec-150f7589311b Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2fbd2ca9-e7b2-47a0-a8b2-575f3f7607d4 Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.cdn/cdnwebapplicationfirewallpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4891dace-710e-40bd-b81f-6a0b9871b50b Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b6f29e6b-4b21-4bb6-a997-38592fa02864 Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed CCF Apps (microsoft.confidentialledger/managedccfs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9c79e60b-99f2-49f3-b08c-630d269bddc1 Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure AD Domain Services (microsoft.aad/domainservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 144aa510-91a0-4de9-9800-43a7ef5e947f Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data factories (V2) (microsoft.datafactory/factories). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.4.0 > 1.5.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 22c8a30b-c5c1-4434-b837-2772543d3c3c Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid System Topics (microsoft.eventgrid/systemtopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a972fe34-7882-4476-87cf-eb9631785fb5 Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servergroupsv2. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8af74447-9495-4245-8e49-f74723dcd231 Enable logging by category group for microsoft.openenergyplatform/energyservices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.openenergyplatform/energyservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f08edf17-5de2-4966-8c62-a50a3f4368ff Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0b726841-c441-44ed-a2cc-d321e3be3ed7 Enable logging by category group for microsoft.networkcloud/storageappliances to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/storageappliances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 18009236-18d3-48e3-bd21-4e7630153611 Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Connected Cache Resources (microsoft.connectedcache/ispcustomers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 99b76532-523c-44da-8d28-3af059fd7fbb Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2d8b0f41-9850-4bac-b63b-96a882a0e683 Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Connected Cache Resources (microsoft.connectedcache/ispcustomers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7646801f-46d5-48d0-9e18-efb884944f3e Enable logging by category group for microsoft.customproviders/resourceproviders to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.customproviders/resourceproviders. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3234ff41-8bec-40a3-b5cb-109c95f1c8ce Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual networks (microsoft.network/virtualnetworks). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 40ce1496-89c2-40cf-80e5-3c4687d2ee4b Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual networks (microsoft.network/virtualnetworks). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 64948b6b-409d-4af2-970f-3b80fea408c1 Enable logging by category group for microsoft.networkcloud/clusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9dbcaaa7-0c1b-4861-81c2-d340661b4382 Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SCOPE pools (microsoft.synapse/workspaces/scopepools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ed251afd-72b1-4e41-b6c9-6614420f1207 Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Shares (microsoft.datashare/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7a8afaba-cc24-4306-b83f-d178f1a10ba2 Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Power BI Embedded (microsoft.powerbidedicated/capacities). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 23673f24-2594-43e9-9983-60a0be21bd76 Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network Managers (microsoft.network/networkmanagers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0ebe872d-7029-4292-88bc-ad3e2cf3772f Enable logging by category group for microsoft.network/networksecurityperimeters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networksecurityperimeters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 69e0da8f-ca50-479d-b1a8-33a31426c512 Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e1bf4d43-542a-4410-918d-7e61c8e1ac21 Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3d7d0cc7-bd72-4f41-bf55-0be57faa3883 Enable logging by category group for microsoft.dbforpostgresql/servers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c13b41e7-a45f-4600-96c0-18f84fb07771 Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.connectedcache/enterprisemcccustomers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f7407db8-e40d-4efd-9fff-c61298e01fd5 Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d111f33e-5cb3-414e-aec4-427e7d1080c9 Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Analytics (microsoft.datalakeanalytics/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f6d5d5d5-0fa9-4257-b820-69c35016c973 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring fea83f6c-a18a-4338-8f1f-80ecba4c5643 Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Backup vaults (microsoft.dataprotection/backupvaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b79bf56e-c296-4829-afea-6ac9263e7687 Enable logging by category group for microsoft.network/dnsresolverpolicies to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/dnsresolverpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b4a9c220-1d62-4163-a17b-30db7d5b7278 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring be3ddb6b-c328-4ecd-91e8-c2804868ea9c Enable logging by category group for microsoft.dbformysql/flexibleservers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbformysql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ac27709a-8e3a-4abf-8122-877af1dd9209 Enable logging by category group for microsoft.insights/autoscalesettings to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.insights/autoscalesettings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a9ebdeda-251a-4311-92be-5167d73b1682 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 56288eb2-4350-461d-9ece-2bb242269dce Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0b6b8abb-7761-4e02-ae0e-2c873b5152ca Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Spring Apps (microsoft.appplatform/spring). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 79494980-ea12-4ca1-8cca-317e942b6da2 Enable logging by category group for Application Insights (microsoft.insights/components) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (microsoft.insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 415eaa04-e9db-476a-ba43-092d70ebe1e7 Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bot Services (microsoft.botservice/botservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d4d93413-9560-4252-a16d-b8c3bbaf5baf Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Analytics (microsoft.datalakeanalytics/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8e29fe36-d794-4c55-87d6-5a206031dde2 Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed CCF Apps (microsoft.confidentialledger/managedccfs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 50bdafe5-c7b6-4812-af5f-75dc00561aed Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Firewalls (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ba00f5fb-98f7-4542-b88a-16c5ce44f26a Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.autonomousdevelopmentplatform/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring aa78af66-1659-40aa-90b0-b35b616adbdc Enable logging by category group for microsoft.networkanalytics/dataproducts to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkanalytics/dataproducts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5edd2580-3272-4509-b121-57054b4c70c4 Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2db34cad-25ef-48e3-a787-c2cd36434cd7 Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 54c7cff6-a032-43e1-9656-d4c24665f805 Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.notificationhubs/namespaces/notificationhubs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e7c86682-34c1-488a-9aab-9cb279207992 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 8d0e693f-1b54-41d1-880e-199c3caed23f Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual networks (microsoft.network/virtualnetworks). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3534c358-8a1c-4601-b6ff-43d378d65efa Enable logging by category group for microsoft.devices/provisioningservices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.devices/provisioningservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3c25d50c-bd5a-4f98-a0de-2495e000cfa7 Enable logging by category group for microsoft.openenergyplatform/energyservices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.openenergyplatform/energyservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1888f765-327a-4a8d-9816-968b34ea8b78 Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b15247e4-f83b-48b2-b34e-8ea6148a0f34 Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a7c668bd-3327-474f-8fb5-8146e3e40e40 Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Host pools (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5cfb9e8a-2f13-40bd-a527-c89bc596d299 Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/workspaces/onlineendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 271ccc7b-8334-48c5-b90b-edf37dfb2d00 Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data factories (V2) (microsoft.datafactory/factories). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0509e2d8-d657-4563-a7c8-b88b9180a6e8 Enable logging by category group for microsoft.community/communitytrainings to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.community/communitytrainings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fa570aa1-acca-4eea-8e5a-233cf2c5e4c2 Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Caches (microsoft.cache/redisenterprise/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3ce7ba9e-058f-4ce9-b4d6-22e6c1238904 Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 751f9297-5aae-4313-af2d-2a89226a7856 Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data factories (V2) (microsoft.datafactory/factories). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7e87b2cc-1e49-4e07-a651-a2f38d4667ad Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data collection rules (microsoft.insights/datacollectionrules). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 234bbd1b-05f6-4639-8770-1cd5278ba2c9 Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.autonomousdevelopmentplatform/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2cb215be-a09b-4623-ac2f-dfc5012b1a5b Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for ExpressRoute circuits (microsoft.network/expressroutecircuits). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ffe49e3d-50dd-4137-8fe5-6877c4384b69 Enable logging by category group for microsoft.workloads/sapvirtualinstances to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.workloads/sapvirtualinstances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 60579569-3633-42cb-ae6a-195080bf310d Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkfunction/azuretrafficcollectors. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bf6af3d2-fbd5-458f-8a40-2556cf539b45 Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 07c818eb-df75-4465-9233-6a8667e86670 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 005380e0-1f5b-467a-8ae8-8519938627f9 Enable logging by category group for microsoft.networkcloud/storageappliances to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/storageappliances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6b2899d8-5fdf-4ade-ba59-f1f82664877b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0e0c742d-5031-4e65-bf96-1bee7cf55740 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3496f6fd-57ba-485c-8a14-183c4493b781 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a511ca63-0a10-46e3-960b-bb6431e9e1a3 Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.managednetworkfabric/networkdevices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6b80a35d-1e9a-43ac-9e0b-4519ce9f09b4 Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for HPC caches (microsoft.storagecache/caches). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a853abad-dfa4-4bf5-aaa1-04cb10c02d23 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring bdef6e51-210f-4dc3-87b4-eef30f2e6a17 Enable logging by category group for microsoft.community/communitytrainings to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.community/communitytrainings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f3977509-4420-4dfa-b1c9-2ab38dfd530f Enable logging by category group for microsoft.d365customerinsights/instances to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.d365customerinsights/instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2e3285f9-ae82-4f69-b83f-5b6f1ee69f3a Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Playwright Testing (microsoft.azureplaywrightservice/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 58e22268-dacf-4b7f-b445-338a7e56d23c Enable logging by category group for Logic apps (microsoft.logic/workflows) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Logic apps (microsoft.logic/workflows). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2308e22a-85e9-431d-8c47-36072dfa64b5 Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.servicenetworking/trafficcontrollers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 305408ed-dd5a-43b9-80c1-9eea87a176bb Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Synapse Analytics (microsoft.synapse/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b14e31e2-22d0-48bb-907e-cfb3487e2120 Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for HPC caches (microsoft.storagecache/caches). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 116caf13-2666-4a2e-afca-9a5f1e671b11 Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Power BI Embedded (microsoft.powerbidedicated/capacities). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 601e350d-405c-41d0-a886-72c283f8fab2 Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network security groups (microsoft.network/networksecuritygroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 14e81583-c89c-47db-af0d-f9ddddcccd9f Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5d487647-6a53-4839-8eb8-edccf5e6bf1d Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Live events (microsoft.media/mediaservices/liveevents). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 46b2dd5d-3936-4347-8908-b298ea4466d3 Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 4b05de63-3ad2-4f6d-b421-da21f1328f3b Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 887dc342-c6bd-418b-9407-ab0e27deba36 Enable logging by category group for microsoft.synapse/workspaces/kustopools to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.synapse/workspaces/kustopools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b4545446-0cac-4af5-b591-61544b66e802 Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Workspaces (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5b67d7f3-488f-42df-ab16-e38a913fcdba Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Spring Apps (microsoft.appplatform/spring). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fc2bb2e1-739a-4a03-86a2-16ad55e90bd9 Enable logging by category group for microsoft.powerbi/tenants/workspaces to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.powerbi/tenants/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 958060c2-8d8e-478e-b3ec-d3d2249b461c Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f8352124-56fa-4f94-9441-425109cdc14b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 99b3bfad-aef0-476d-ae98-40861f8eae22 Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application groups (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6f3f5778-f809-4755-9d8f-bd5a5a7add85 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring be26ca28-761d-4538-b78a-975eb47c680c Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6308bf75-8340-4bab-b2ec-2f5000697af4 Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.classicnetwork/networksecuritygroups. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 83089e56-9675-4bc8-ae7d-ca4547dc764b Enable logging by category group for microsoft.network/networksecurityperimeters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networksecurityperimeters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5164fdc7-cfcd-4bd8-a3e9-f4be93166cde Enable logging by category group for microsoft.workloads/sapvirtualinstances to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.workloads/sapvirtualinstances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a819f227-229d-44cb-8ad6-25becdb4451f Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Data Explorer Clusters (microsoft.kusto/clusters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 78d285d5-f767-43f8-aa36-4616daaf9d51 Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Backup vaults (microsoft.dataprotection/backupvaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 29565b0a-e1b5-49c1-94bf-b8b258656460 Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 818719e5-1338-4776-9a9d-3c31e4df5986 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5e23caa9-3cea-4f5b-a181-ba6a3bdb91ef Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure API for FHIR (microsoft.healthcareapis/services). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring de5d5895-642e-4d19-a14e-08a67b2dd152 Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 792f8b74-dc05-44fd-b90d-340a097b80e6 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2f6556cb-a2da-4130-a0dd-e5d05dccf9bb Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Video Indexer (microsoft.videoindexer/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e0f5ec01-8979-49bf-9fd7-2a4eff9fa8e0 Enable logging by category group for microsoft.network/vpngateways to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/vpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 90425e88-1eab-420c-964e-fc1dc79833a6 Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Batch accounts (microsoft.batch/batchaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9f4e810a-899e-4e5e-8174-abfcf15739a3 Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring bb7bbee6-718c-4a71-a474-9f9f0e2a55e4 Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c3b912c2-7f5b-47ac-bd52-8c85a7667961 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2eb903dd-4881-4284-a31d-4bae3f053946 Enable logging by category group for microsoft.community/communitytrainings to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.community/communitytrainings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 02f64cac-bab0-4950-bb95-51f2d3970efa Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.timeseriesinsights/environments/eventsources. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e260a121-c160-4da3-8a0f-e2c0ff6c561e Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 257954d9-4adf-410b-9751-3bb22fe9c180 Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure AD Domain Services (microsoft.aad/domainservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 14ed86b4-ea45-4b1b-98a5-eb8f5f7da726 Enable logging by category group for microsoft.openenergyplatform/energyservices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.openenergyplatform/energyservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a21ac20a-4dd3-40e9-8036-b3351ecf9319 Enable logging by category group for microsoft.timeseriesinsights/environments to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.timeseriesinsights/environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 90c90eda-bfe7-4c67-bf26-410420ed1047 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 315c965f-c0d7-4397-86d3-c05a0981437a Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/workspaces/onlineendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 819c6fd1-432a-4516-a9cb-0c4462af610f Enable logging by category group for microsoft.powerbi/tenants/workspaces to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.powerbi/tenants/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 867c08d5-bc47-404d-9a1b-0aec7a8d34eb Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Workspaces (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8181847d-3422-4030-b815-481934740b63 Enable logging by category group for microsoft.azuresphere/catalogs to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.azuresphere/catalogs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Azure Update Manager 9905ca54-1471-49c6-8291-7582c04cd4d4 Set prerequisite for Scheduling recurring updates on Azure virtual machines. This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f62b9eab-b489-4388-9874-b0a62ca31327 Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 557c828f-aa51-40d9-868a-cff8d3982818 Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 03a087c0-b49f-4440-9ae5-013703eccc8c Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a5385dba-3caf-43da-8804-c68174d315a7 Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e6acdfc4-25e3-4b36-9b0c-5c5743edd1b7 Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Workspaces (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6ee1c58c-a123-4cd6-8643-48b2f7ffb3e1 Enable logging by category group for microsoft.network/networkmanagers/ipampools to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networkmanagers/ipampools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 887d1795-3d3d-4859-9ef4-9447392db2ea Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application gateways (microsoft.network/applicationgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 116b1633-30d0-4e9a-a665-8aea3dc906c6 Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.servicenetworking/trafficcontrollers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c29fe1b2-c0b0-4d92-a988-84b484801707 Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network Managers (microsoft.network/networkmanagers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d3abca82-2ae2-4707-bf5e-cfc765ce9ff1 Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.servicenetworking/trafficcontrollers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b88bfd90-4da5-43eb-936f-ae1481924291 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e9c56c41-d453-4a80-af93-2331afeb3d82 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e6421995-539a-4ce3-854b-1c88534396cf Enable logging by category group for microsoft.networkcloud/baremetalmachines to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/baremetalmachines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0120ef84-66e7-4faf-aad8-14c36389697e Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network security groups (microsoft.network/networksecuritygroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0bb5a1fb-b1ad-45fd-880e-a590f2ec8d1c Enable logging by category group for microsoft.documentdb/cassandraclusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/cassandraclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ccdd9d7c-2bb6-465b-8ea1-5584b4af072e Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.connectedcache/enterprisemcccustomers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 63a8eb0d-f030-4bc6-a1e4-6998f23aa160 Enable logging by category group for microsoft.networkcloud/clusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring db20d5eb-782b-4c4d-b668-06816ec72c58 Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8963c37c-1113-4f1b-ae2e-3a5dd960a7f1 Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.timeseriesinsights/environments/eventsources. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0e4325e3-228b-40f0-83ae-9c03276858c1 Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Connected Cache Resources (microsoft.connectedcache/ispcustomers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2f4d1c08-3695-41a7-a0a0-8db4a0e25233 Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Recovery Services vaults (microsoft.recoveryservices/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ae0fc3d3-c9ce-43e8-923a-a143db56d81e Enable logging by category group for microsoft.documentdb/cassandraclusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/cassandraclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1abe42e1-a726-4dee-94c2-79f364dac9b7 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring da9b245a-05a9-4c2a-acb3-5afe62658776 Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Integration accounts (microsoft.logic/integrationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 84509667-1a94-4255-9e5f-b479075c1069 Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servergroupsv2. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ca09affa-60d6-4cef-9037-b7372e1ac44f Enable logging by category group for microsoft.network/vpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/vpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f0d25196-1ea4-49e1-ad53-ccada27b4862 Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b797045a-b3cd-46e4-adc4-bbadb3381d78 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 68ba9fc9-71b9-4e6f-9cf5-ecc07722324c Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d7d59290-3ee5-4c1b-b408-c38b21799aea Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.managednetworkfabric/networkdevices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b678d84d-9723-4df0-a131-82c730231f1e Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Recovery Services vaults (microsoft.recoveryservices/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a285df35-0164-4f4d-9e04-c39056742c55 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a6dd4d00-283d-4765-b3d1-44ace2ccacda Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkfunction/azuretrafficcollectors. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5a1fa110-16bc-49d0-a045-29a552b67cef Enable logging by category group for microsoft.synapse/workspaces/kustopools to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.synapse/workspaces/kustopools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e488a548-7afd-43a7-a903-2a6dd36e7504 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 322b6192-a99b-4ab6-9b40-43ca19dcd0d9 Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a81eb966-6696-46b1-9153-bed01569a7d0 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 9df7e623-1f7c-47fa-9db6-777c9a3f2636 Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.autonomousdevelopmentplatform/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bbdbb83b-cbfe-49f7-b7d1-1126630a68b7 Enable logging by category group for microsoft.dbforpostgresql/servers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 605dd1c9-db6f-496f-ba7f-841ea3e246e0 Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MySQL servers (microsoft.dbformysql/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a142867f-3142-4ac6-b952-ab950a29fca5 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring d8624de8-47fe-47c0-bea0-2d8329b628fe Enable logging by category group for microsoft.network/vpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/vpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 82b076b9-2062-4516-ae4c-37b1890eabb2 Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dev centers (microsoft.devcenter/devcenters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 064a3695-3197-4354-816b-65c7b952db9e Enable logging by category group for microsoft.documentdb/mongoclusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/mongoclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b9d3f759-4cda-43cf-8f64-5b01aeb1c21a Enable logging by category group for microsoft.networkcloud/clusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e1598217-5ff1-4978-b51d-f0238e100019 Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servergroupsv2. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9dc3e252-1cff-4ae5-bcad-5a92b7167d43 Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service Environments (microsoft.web/hostingenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a6d488fc-3520-4ec8-9cf6-c5e78d677651 Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0fcf2d91-8951-43be-9505-ab43dee2f580 Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c1c0dd3c-6354-4265-a88b-801f84649944 Enable logging by category group for microsoft.documentdb/cassandraclusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.documentdb/cassandraclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d3e11828-02c8-40d2-a518-ad01508bb4d7 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 1118afbc-c48d-43ae-931a-87b38956d40b Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 11638078-a29c-4cf3-ad7f-775f78327425 Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application gateways (microsoft.network/applicationgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e9e99d63-621a-4a33-8799-0fb53e43f162 Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Scaling plans (microsoft.desktopvirtualization/scalingplans). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring dfbfceaa-14b2-4a90-a679-d169fa6a6a38 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring bd0079c6-6f2d-42f4-9cee-e23930968f10 Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fe85de62-a656-4b79-9d94-d95c89319bd9 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 08240c20-e48f-47d9-9305-2a8c4da75a3e Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Storage movers (microsoft.storagemover/storagemovers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ae48c709-d2b4-4fad-8c5c-838524130aa4 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5d7409c0-fb8e-4052-9969-ef09f12fd166 Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Live events (microsoft.media/mediaservices/liveevents). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f231d9f4-9110-40eb-979e-e4eac6602be2 Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure API for FHIR (microsoft.healthcareapis/services). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 140ad507-70f0-43cb-a7cb-a8964341aefa Enable logging by category group for Application Insights (microsoft.insights/components) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application Insights (microsoft.insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b9c8d1de-593f-472f-b32a-7e2fe0c2374a Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Communication Services (microsoft.communication/communicationservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a2361fd4-721d-4be2-9910-53be250b99ad Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP Prefixes (microsoft.network/publicipprefixes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e76ef589-c7d6-42cf-a61a-13471f6f50cd Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Caches (microsoft.cache/redisenterprise/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 34c7546c-d637-4b5d-96ab-93fb6ed07af8 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring d16cdb9f-e2a8-4002-88f6-9eeaea1766f7 Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3a8ff864-d881-44ce-bed3-0c63ede634cb Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 621d8969-4918-45e7-954b-2fb0b42e7059 Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 58cb2d8e-623c-4557-bb4e-0b64cb41ec55 Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Service Environments (microsoft.web/hostingenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring abb62520-ee66-4bdb-96d3-49ad98c66131 Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Spring Apps (microsoft.appplatform/spring). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9cbc4c60-0db8-483c-999b-0f017a01a56b Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid System Topics (microsoft.eventgrid/systemtopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d8a9593e-791e-4fd7-9b22-a75b76e5de17 Enable logging by category group for microsoft.documentdb/mongoclusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.documentdb/mongoclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 00ec9865-beb6-4cfd-82ed-bd8f50756acd Enable logging by category group for microsoft.network/p2svpngateways to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring acbb9698-46bd-4800-89da-e3473c4ab10d Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Communication Services (microsoft.communication/communicationservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 20a921eb-1c4b-4bb7-a78f-6653ad293dba Enable logging by category group for microsoft.network/networksecurityperimeters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networksecurityperimeters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 93319447-e347-406b-953f-618c3b599554 Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for ExpressRoute circuits (microsoft.network/expressroutecircuits). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cf6ff94d-c483-4491-976a-eb784101217a Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0ba93a1b-ac4d-4e7b-976a-548a18be1e52 Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5e6697bc-9d6d-4de9-95f9-898f130372df Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Video Indexer (microsoft.videoindexer/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 63d1a629-735c-448b-b45f-5e3865e84cf5 Enable logging by category group for Logic apps (microsoft.logic/workflows) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Logic apps (microsoft.logic/workflows). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 041e904a-33e5-45fd-b3f6-4ac95f1f8761 Enable logging by category group for microsoft.devices/provisioningservices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.devices/provisioningservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d9f11fea-dd45-46aa-8908-b7a146f1e543 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring aec4c33f-2f2a-4fd3-91cd-24a939513c60 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 92012204-a7e4-4a95-bbe5-90d0d3e12735 Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application gateways (microsoft.network/applicationgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a12e0815-0735-48d9-b5b3-8a3b60a85b86 Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SCOPE pools (microsoft.synapse/workspaces/scopepools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 85779c9a-7fdf-4294-937c-ded183166fa8 Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container instances (microsoft.containerinstance/containergroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bfc6b185-2af1-4998-a32e-c0144792eeb2 Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Service Environments (microsoft.web/hostingenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 33835ef6-bc67-4bde-bf5f-5a857f195a57 Enable logging by category group for microsoft.machinelearningservices/registries to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/registries. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 69d4fcec-8426-426a-ad48-439fd3b14e9e Enable logging by category group for microsoft.dbforpostgresql/servers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 50ca36f4-5306-4275-ad42-a40ca2805c77 Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Databricks Services (microsoft.databricks/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f48c1843-fc88-47c1-9b01-4527c76c890a Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Managed Grafana (microsoft.dashboard/grafana). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 944eae3e-6b16-4864-86e1-1b23d58386d5 Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a271e156-b295-4537-b01d-09675d9e7851 Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9529ceaf-8c7e-4149-bcb6-f38f63c5e4bd Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1bd91eae-4429-4f23-b780-8c9622e023e3 Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure AD Domain Services (microsoft.aad/domainservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f873a711-0322-4744-8322-7e62950fbec2 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2cc39a57-5106-4d41-b872-55c2b9d7b729 Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP Prefixes (microsoft.network/publicipprefixes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 94d707a8-ce27-4851-9ce2-07dfe96a095b Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 590b6105-4715-4e8b-8049-c5a4ae07d8e9 Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring efa9bf93-28f9-4f05-8e8c-31b8875e9713 Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Storage movers (microsoft.storagemover/storagemovers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring eb2fea88-fa7b-4531-a4c1-428c618fbcc8 Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 106cd3bd-50a1-466c-869f-f9c2d310477b Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f9431f54-4c78-47ef-aac9-2b37cbaeae75 Enable logging by category group for Logic apps (microsoft.logic/workflows) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Logic apps (microsoft.logic/workflows). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f5094957-e0f7-4af2-9e14-13d60141dc4a Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring aade2723-e7f6-46fd-b1dc-e6c2c7f7edc4 Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1c5187ed-9863-4961-bb92-c72bc3883e24 Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Load Testing (microsoft.loadtestservice/loadtests). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ec51b91e-e03d-4435-b6e7-dcaffe6ba5c0 Enable logging by category group for microsoft.customproviders/resourceproviders to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.customproviders/resourceproviders. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4ce6d386-fc8e-4ac4-9bff-e5859625cea4 Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Endpoints (microsoft.cdn/profiles/endpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 81039988-1f84-4aa6-8039-0a64c2a301b4 Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Playwright Testing (microsoft.azureplaywrightservice/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 059e6dd0-544a-4c93-abad-b3ad77667339 Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Host pools (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2137dd9f-94ac-413f-93a8-d068966308c9 Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Data Explorer Clusters (microsoft.kusto/clusters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5360664a-5821-4f43-8988-3f0ed8f3f8a5 Enable logging by category group for microsoft.networkanalytics/dataproducts to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkanalytics/dataproducts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 69ab8bfc-dc5b-443d-93a7-7531551dec66 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 889bfebf-7428-426e-a86f-79e2a7de2f71 Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Load balancers (microsoft.network/loadbalancers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b55f2e8e-dc76-4262-a0e3-45f02200ff0e Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP Prefixes (microsoft.network/publicipprefixes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 30499756-47d6-493c-9e57-ee3db2d9fa96 Enable logging by category group for microsoft.insights/autoscalesettings to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.insights/autoscalesettings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 77c56019-5c71-4d33-9ce3-7a817f2bc7fa Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Shares (microsoft.datashare/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4c67a1c0-8e77-4f4b-b572-5c11695aae2d Enable logging by category group for microsoft.d365customerinsights/instances to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.d365customerinsights/instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4d46b9c1-0a86-41bf-aaf2-74d0ebf8ce66 Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.cdn/cdnwebapplicationfirewallpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fc66c506-9397-485e-9451-acc1525f0070 Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 567c93f7-3661-494f-a30f-0a94d9bfebf8 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring ebd6e41f-c33e-4e16-9249-cee4c68e6e8c Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.notificationhubs/namespaces/notificationhubs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0dac4c0b-0ca4-4c6e-9a09-61917873b3b0 Enable logging by category group for microsoft.networkcloud/baremetalmachines to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/baremetalmachines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 087dbf66-448d-4235-b7b8-17af48edc9db Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.classicnetwork/networksecuritygroups. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e25bcb29-0412-42c3-a526-1ff794310a1e Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure API for FHIR (microsoft.healthcareapis/services). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f55ffc18-72c5-479c-a998-dc6806a6fa89 Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Host pools (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e74570cf-1b7d-4bed-b79e-d1fd1117a39a Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Endpoints (microsoft.cdn/profiles/endpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4c9cd884-3e45-4588-ac9d-00d44be2cbcd Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 339855ce-39c1-4a70-adc9-103ea7aac99f Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Firewalls (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 39741c6f-5e8b-4511-bba4-6662d0e0e2ac Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 8464ded4-af15-4319-950f-a30400d35247 Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Integration accounts (microsoft.logic/integrationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 244bcb20-b194-41f3-afcc-63aef382b64c Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics (Virtual Enclaves) Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch (1.0.0 > 1.0.1) 2024-04-29 17:47:10 BuiltIn
Monitoring 6f7fa8b1-4456-4d4c-94c2-1f1651b18235 Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.classicnetwork/networksecuritygroups. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a26c842f-bee7-4a1f-9ae1-a973d3a0075a Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container Apps Environments (microsoft.app/managedenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 60af09fa-d167-44da-9bfc-21a49546a7b5 Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Backup vaults (microsoft.dataprotection/backupvaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6248cb7c-e485-42ad-ba20-b1ee8fba7674 Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Databricks Services (microsoft.databricks/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0fdc6116-c747-449c-b9cc-330fcd4c5c9c Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/dnsresolverpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a08af17e-c2a3-478e-a819-94839ef02b32 Enable logging by category group for microsoft.network/networkmanagers/ipampools to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networkmanagers/ipampools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e99ab54f-260e-4925-a70f-8fe0a92443ef Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Storage movers (microsoft.storagemover/storagemovers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 20e491a1-11fe-4d11-ab4e-a81edd23672e Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 480ee186-7504-48ac-b64e-af38673aa2c6 Enable logging by category group for Search services (microsoft.search/searchservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Search services (microsoft.search/searchservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 971199b6-1971-4d3e-85b0-fa7639044679 Enable logging by category group for Search services (microsoft.search/searchservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Search services (microsoft.search/searchservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a1a5f3c5-d01a-459c-8398-a3c9a79ad879 Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Video Indexer (microsoft.videoindexer/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d147ba9f-3e17-40b1-9c23-3bca478ba804 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring d98f63ed-e319-4dc3-898f-600953a05f7e Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Managed Grafana (microsoft.dashboard/grafana). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ba0ba89c-1137-407f-ae7a-19152ea7ae82 Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Load balancers (microsoft.network/loadbalancers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 20f21bc7-b0b8-4d57-83df-5a8a0912b934 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a9725bd4-a2ad-479f-a29b-5e163cada399 Enable logging by category group for microsoft.networkcloud/baremetalmachines to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/baremetalmachines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring dc1b5908-da05-4eed-a988-c5e32fdb682d Enable logging by category group for microsoft.network/dnsresolverpolicies to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/dnsresolverpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 96abcdc6-3c5a-4b0f-b031-9a4c1f36c9a6 Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Synapse Analytics (microsoft.synapse/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5a69fd36-760e-4a65-a621-836f1159e304 Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.notificationhubs/namespaces/notificationhubs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1bd3a451-9f38-43e5-aed3-bede117c3055 Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Analytics (microsoft.datalakeanalytics/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring dcb324b0-3bfa-4df4-b476-64122bde219e Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Scaling plans (microsoft.desktopvirtualization/scalingplans). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0eb11858-8d9f-4525-b9ab-cc5eab07d27a Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed CCF Apps (microsoft.confidentialledger/managedccfs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 39078c44-b8d4-4c7d-8579-7f021d326ebf Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Chaos Experiments (microsoft.chaos/experiments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 82333640-495e-4249-92bb-2a5e2d07b964 Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network Managers (microsoft.network/networkmanagers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring dfe69c56-9c12-4271-9e62-7607ab669582 Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5305ea79-c247-456a-bdbd-dc35cef62ce1 Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dev centers (microsoft.devcenter/devcenters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1840aef8-71df-4a30-a108-efdb4f291a7f Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Integration accounts (microsoft.logic/integrationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 7806c8b4-afc9-4a35-b9a9-3707413df35e Enable logging by category group for microsoft.insights/autoscalesettings to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.insights/autoscalesettings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 37d5d366-8544-498a-9106-00185b29a9e3 Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.cdn/cdnwebapplicationfirewallpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring aaa4560d-9580-4804-a5e5-b9ffb469d49e Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Data Explorer Clusters (microsoft.kusto/clusters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5fcf46f9-194c-47ff-8889-380f57ae4617 Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewalls (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 12000b3e-e38b-4bef-9098-38785f06ea32 Enable logging by category group for microsoft.machinelearningservices/registries to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/registries. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b70d4e3a-b1d5-4432-b058-7ea0a4c02a4e Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.connectedcache/enterprisemcccustomers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a83fcddb-39d0-4c21-af38-76d2c935c3ca Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments/eventsources. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 17f18067-406f-49b2-84ce-d1eb66c3fc75 Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Live events (microsoft.media/mediaservices/liveevents). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cc789f91-3e63-4cfb-86f4-87565055f269 Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/workspaces/onlineendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ed6ae75a-828f-4fea-88fd-dead1145f1dd Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 668e9597-4ccc-452f-80be-e9dd5b2ab897 Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Power BI Embedded (microsoft.powerbidedicated/capacities). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 60ad0a9f-f760-45ff-ab94-4c64d7439f18 Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container instances (microsoft.containerinstance/containergroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3ec48f10-33fc-40d2-aaf2-028c4f7bbd02 Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MySQL servers (microsoft.dbformysql/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a8de4d0a-d637-4684-b70e-6df73b74d117 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e92686fd-65f0-420f-a52b-7da14f3cef90 Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Recovery Services vaults (microsoft.recoveryservices/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e9b1fed8-35a2-47d0-b8aa-3834f5032862 Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Synapse Analytics (microsoft.synapse/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 95f9d29c-defd-4387-b73b-5cdb4a982bf0 Enable logging by category group for microsoft.dbformysql/flexibleservers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbformysql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a05c2daf-be1f-4d2c-8a12-b3627d477b44 Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed databases (microsoft.sql/managedinstances/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0e861bb0-d926-4cdb-b2d6-d59336b8f5b3 Enable logging by category group for microsoft.networkanalytics/dataproducts to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkanalytics/dataproducts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0da6faeb-d6c6-4f6e-9f49-06277493270b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 4f925033-4d52-4619-909c-9c47a687dc51 Enable logging by category group for microsoft.networkcloud/storageappliances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/storageappliances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a78631da-8506-4113-96f4-2805de193083 Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Managed Grafana (microsoft.dashboard/grafana). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f969646f-b6b8-45a0-b736-bf9b4bb933dc Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f48e8ce0-91bd-4d51-8aba-8990d942f999 Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fc744b31-a930-4eb5-bc06-e81f98bf7214 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e2526c67-0363-4da9-96f8-a95d746cf60b Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Playwright Testing (microsoft.azureplaywrightservice/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 13bf624e-fe24-40f0-9a7c-066e28a50871 Enable logging by category group for microsoft.devices/provisioningservices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.devices/provisioningservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring be9259e2-a221-4411-84fd-dd22c6691653 Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 068e22bd-8057-466b-9642-7cd2ca476158 Enable logging by category group for microsoft.timeseriesinsights/environments to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 10e8c93c-658d-47e8-aa6f-ed60f329c060 Enable logging by category group for microsoft.documentdb/mongoclusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/mongoclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3372b9c2-d179-4190-9f0c-e6f6304d0e93 Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application groups (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 499b7900-f44e-40ea-b8d3-2f3cf75f2ca4 Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 50cebe4c-8021-4f07-bcb2-6c80622444a9 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0983eb33-77d7-47e5-9fa7-879f8cea012e Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 68d95589-2f07-42e3-ae6d-80a2ae3edbc4 Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Load Testing (microsoft.loadtestservice/loadtests). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6a664864-e2b5-413e-b930-f11caa132f16 Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container Apps Environments (microsoft.app/managedenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3d034ef2-001c-46f6-a47b-e6e4a74ff89b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 852877d5-b61d-4741-b649-85a324bb3fd4 Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Shares (microsoft.datashare/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 35806bc0-0260-4642-bae7-0ed677b3da44 Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Chaos Experiments (microsoft.chaos/experiments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c600af08-49ff-4f7a-b5c9-0686749387b7 Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container instances (microsoft.containerinstance/containergroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e40b8f6f-0ecf-4c3b-b095-ba3562256e48 Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Analysis Services (microsoft.analysisservices/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 28e2d787-b5f4-43cf-8cb7-11b54773d379 Enable logging by category group for microsoft.network/networkmanagers/ipampools to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networkmanagers/ipampools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3893777a-aaf0-4b74-b08a-14ca9e5a9608 Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container Apps Environments (microsoft.app/managedenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 20017523-2fd1-49a8-a766-79cbc572b827 Enable logging by category group for microsoft.timeseriesinsights/environments to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.timeseriesinsights/environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bd0965d6-9544-406a-90b5-dc2d566670b8 Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed databases (microsoft.sql/managedinstances/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.4.0 > 1.5.0) 2024-04-29 17:47:10 BuiltIn
Monitoring adeec880-527c-4def-a2bf-3053be70eef8 Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.managednetworkfabric/networkdevices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e97f20f4-8bf0-4a35-a319-38f4144228f5 Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bot Services (microsoft.botservice/botservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-04-29 17:47:10 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Communication 93c45b74-42a1-4967-b25d-82c4dc630921 Communication service resource should use allow listed data location Create a Communication service resource only from an allow listed data location. This data location determines where the data of the communication service resource will be stored at rest, ensuring your preferred allow listed data locations as this cannot be changed after resource creation. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-04-22 16:32:55 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.2.0 > 1.3.0) 2024-04-22 16:32:55 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) 2024-04-22 16:32:55 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-04-22 16:32:55 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.3.0 > 1.4.0) 2024-04-22 16:32:55 BuiltIn
Communication bcff6755-335b-484d-b435-d1161db39cdc Communication service resource should use a managed identity Assigning a managed identity to your Communication service resource helps ensure secure authentication. This identity is used by this Communication service resource to communicate with other Azure services, like Azure Storage, in a secure way without you having to manage any credentials. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-04-22 16:32:55 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-04-22 16:32:55 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) 2024-04-22 16:32:55 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor (2.3.0 > 2.4.0) 2024-04-12 17:45:57 BuiltIn
Guest Configuration 3dc5edcd-002d-444c-b216-e123bbfa37c0 Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, old suffix: preview (1.1.0-preview > 1.1.1) 2024-04-12 17:45:57 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.1.0 > 3.2.0) 2024-04-12 17:45:57 BuiltIn
Monitoring f17d891d-ff20-46f2-bad3-9e0a5403a4d3 Linux Arc-enabled machines should have Azure Monitor Agent installed Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.1.0 > 1.2.0) 2024-04-12 17:45:57 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.5.0 > 3.6.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.4.0 > 3.5.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Azure Ai Services 55eff01b-f2bd-4c32-9203-db285f709d30 Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Cognitive Services Contributor
Cognitive Services OpenAI Contributor
add
 new Policy 2024-04-12 17:45:57 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.1.0 > 3.2.0) 2024-04-12 17:45:57 BuiltIn
Azure Ai Services d45520cb-31ca-44ba-8da2-fcf914608544 Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 003
Cognitive Services Contributor
Cognitive Services OpenAI Contributor
Search Service Contributor
add
 new Policy 2024-04-12 17:45:57 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Minor (1.1.0 > 1.2.0) 2024-04-12 17:45:57 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.4.0 > 4.5.0) 2024-04-12 17:45:57 BuiltIn
Security Center 3d5ed4c2-5e50-4c76-932b-8982691b68ae Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers Enable Advanced Threat Protection on your Azure database for MySQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2024-04-12 17:45:57 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.4.0 > 3.5.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, old suffix: preview (1.2.0-preview > 1.2.1) 2024-04-12 17:45:57 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.5.0 > 3.6.0) 2024-04-12 17:45:57 BuiltIn
Monitoring e20f31d7-6b6d-4644-962a-ae513a85ab0b Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 441af8bf-7c88-4efc-bd24-b7be28d4acce Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 8656d368-0643-4374-a63f-ae0ed4da1d9a Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 1513498c-3091-461a-b321-e9b433218d28 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 6567d3f3-42d0-4cfb-9606-9741ba60fa07 Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 021f8078-41a0-40e6-81b6-c6597da9f3ee [Preview]: Kubernetes cluster container images should not include latest image tag Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 480851ae-9ff3-49d1-904c-b5bd6f83f1ec Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 1a3b9003-eac6-4d39-a184-4a567ace7645 [Preview]: Kubernetes cluster container images must include the preStop hook Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-04-08 17:52:20 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-04-08 17:52:20 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-04-08 17:52:20 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
add
 new Policy 2024-04-08 17:52:20 BuiltIn
Security Center 0b15565f-aa9e-48ba-8619-45960f2c314d Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 9e6aee71-3781-4acd-bba7-aac4fb067dfa Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Security Center 6e2593d9-add6-4083-9c9b-4b7d2188c899 Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.1 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca [Deprecated]: Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, new suffix: deprecated (3.0.1 > 3.1.0-deprecated) 2024-04-08 17:52:20 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.3.0 > 4.4.0) 2024-03-29 18:59:24 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.1.1 > 1.1.2) 2024-03-29 18:59:24 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (6.2.0 > 6.3.0) 2024-03-29 18:59:24 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.1.0 > 3.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.1.0 > 4.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.3.0 > 3.4.0) 2024-03-25 19:17:21 BuiltIn
Backup d6588149-9f06-462c-a076-56aece45b5ba [Preview]: Azure Backup Vaults should use customer-managed keys for encrypting backup data. Also an option to enforce Infra Encryption. This policy follows the 'effect' if Encryption Settings are enabled for Backup vaults in the scope. Additionally, option to check if Backup Vault also has Infrastructure Encryption enabled. Learn more at https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk. Please note that when 'Deny' effect is used, it would need you to enable Encryption Settings on the existing Backup Vaults in order to allow other update operations on the vault go through. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-03-25 19:17:21 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.1.0 > 4.2.0) 2024-03-25 19:17:21 BuiltIn
DevCenter ece3c79b-2caf-470d-a5f5-66470c4fc649 [Preview]: Microsoft Dev Box Pools should not use Microsoft Hosted Networks. Disallows the use of Microsoft Hosted Networks when creating Pool resources. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-03-25 19:17:21 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (3.2.0 > 3.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (4.3.0 > 4.4.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor (2.3.0 > 2.4.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (3.2.0 > 3.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (6.1.0 > 6.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.2.0 > 4.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (2.1.0 > 2.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.1.0 > 3.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring ec621e21-8b48-403d-a549-fc9023d4747f Windows Arc-enabled machines should have Azure Monitor Agent installed Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.1.0 > 1.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (2.1.0 > 2.2.0) 2024-03-25 19:17:21 BuiltIn
Security Center 5f0f936f-2f01-4bf5-b6be-d423792fa562 [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (2.0.2 > 2.1.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest 83a0809a-a4e3-4ef2-8a24-2afc156607af [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor (2.0.4 > 2.1.0) 2024-03-15 22:15:34 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.3 > 1.1.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest f8d398ae-0441-4921-a341-40f3973d4647 [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Disabled
Allowed
Deny, Disabled
change
 Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest 85793e88-5a58-4555-93fa-4df63c86ae9c [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. Only deploy Registry Models in the allowed Registry and that are not restricted. Default
Disabled
Allowed
Deny, Disabled
change
 Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
General 78460a36-508a-49a4-b2b2-2f5ec564f4bb Do not allow deletion of resource types This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Default
DenyAction
Allowed
DenyAction, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-03-15 22:15:34 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Trusted Launch b03bb370-5249-4ea4-9fce-2552e87e45fa Disks and OS image should support TrustedLaunch TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://aka.ms/trustedlaunch Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-03-11 18:31:50 BuiltIn
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Minor (2.0.1 > 2.1.0) 2024-03-11 18:31:50 BuiltIn
Trusted Launch c95b54ad-0614-4633-ab29-104b01235cbf Virtual Machine should have TrustedLaunch enabled Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-03-11 18:31:50 BuiltIn
Azure Ai Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.1.0 > 3.2.0) 2024-03-11 18:31:50 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Minor (4.7.0 > 4.8.0) 2024-03-11 18:31:50 BuiltIn
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.1 > 2.1.0) 2024-03-11 18:31:50 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.6.0 > 3.7.0) 2024-03-11 18:31:50 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor (4.0.1 > 4.1.0) 2024-03-11 18:31:50 BuiltIn
Azure Ai Services 1b4d1c4e-934c-4703-944c-27c82c06bebb Diagnostic logs in Azure AI services resources should be enabled Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-03-11 18:31:50 BuiltIn
Cache 766f5de3-c6c0-4327-9f4d-042ab8ae846c Configure Azure Cache for Redis to disable non SSL ports Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default
Modify
Allowed
Modify, Disabled 		count: 001
Redis Cache Contributor
add
 new Policy 2024-03-11 18:31:50 BuiltIn
Stack HCI aee306e7-80b0-46f3-814c-d3d3083ed034 [Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/36f0d6bc-a253-4df8-b25b-c3a5023ff443. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Stack HCI ae95f12a-b6fd-42e0-805c-6b94b86c9830 [Deprecated]: Azure Stack HCI systems should have encrypted volumes This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Mobile Network 7508b186-60e2-4518-bf70-3d7fbaba1f3a Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2024-03-01 17:50:27 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor (1.1.0 > 1.2.0) 2024-03-01 17:50:27 BuiltIn
Stack HCI 7384fde3-11b0-4047-acbd-b3cf3cc8ce07 [Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/dad3a6b9-4451-492f-a95c-69efc6f3fada. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Stack HCI 5e6bf724-0154-49bc-985f-27b2e07e636b [Preview]: Azure Stack HCI servers should meet Secured-core requirements Ensure that all Azure Stack HCI servers meet the Secured-core requirements. To enable the Secured-core server requirements: 1. From the Azure Stack HCI clusters page, go to Windows Admin Center and select Connect. 2. Go to the Security extension and select Secured-core. 3. Select any setting that is not enabled and click Enable. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
 new Policy 2024-03-01 17:50:27 BuiltIn
Stack HCI dad3a6b9-4451-492f-a95c-69efc6f3fada [Preview]: Azure Stack HCI servers should have consistently enforced application control policies At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
 new Policy 2024-03-01 17:50:27 BuiltIn
Stack HCI 56c47221-b8b7-446e-9ab7-c7c9dc07f0ad [Deprecated]: Azure Stack HCI servers should meet Secured-core requirements This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/5e6bf724-0154-49bc-985f-27b2e07e636b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
change
 Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated) 2024-03-01 17:50:27 BuiltIn
Stack HCI ee8ca833-1583-4d24-837e-96c2af9488a4 [Preview]: Azure Stack HCI systems should have encrypted volumes Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
 new Policy 2024-03-01 17:50:27 BuiltIn
Mobile Network aec63c84-f9ea-46c7-9e66-ba567bae0f09 Packet Core Control Plane diagnostic access should only use Microsoft EntraID authentication type Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-03-01 17:50:27 BuiltIn
Mobile Network 45c4e9bd-ad6b-4634-9566-c2dad2f03cbf SIM Group should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of SIM secrets in a SIM Group. Customer-managed keys are commonly required to meet regulatory compliance standards and they enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-03-01 17:50:27 BuiltIn
Stack HCI 36f0d6bc-a253-4df8-b25b-c3a5023ff443 [Preview]: Host and VM networking should be protected on Azure Stack HCI systems Protect data on the Azure Stack HCI hosts network and on virtual machine network connections. Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists
add
 new Policy 2024-03-01 17:50:27 BuiltIn
BuiltInPolicyTest fa8af49a-f61d-4f56-9138-46b77d37df43 [Deprecated]: Keys should have a rotation policy within the specified number of days after creation. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Default
Audit
Allowed
Audit, Disabled
change
 Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.0.1 > 4.1.0) 2024-02-27 19:10:20 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Minor (4.0.4 > 4.1.0) 2024-02-27 19:10:20 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.0.0 > 4.1.0) 2024-02-27 19:10:20 BuiltIn
Backup 2514263b-bc0d-4b06-ac3e-f262c0979018 [Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest 83a0809a-a4e3-4ef2-8a24-2afc156607af [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest 85793e88-5a58-4555-93fa-4df63c86ae9c [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. Only deploy Registry Models in the allowed Registry and that are not restricted. Default
Disabled
Allowed
Deny, Disabled
change
 Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
Healthcare APIs c42dee8c-0202-4a12-bd8e-3e171cbf64dd FHIR Service should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services FHIR Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-02-27 19:10:20 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (3.1.0 > 3.2.0) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest 98cec160-6f57-4d11-86e2-0a03290a3a8a [Deprecated]: Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
BuiltInPolicyTest f8d398ae-0441-4921-a341-40f3973d4647 [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Disabled
Allowed
Deny, Disabled
change
 Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated) 2024-02-27 19:10:20 BuiltIn
Backup d6f6f560-14b7-49a4-9fc8-d2c3a9807868 [Preview]: Immutability must be enabled for Recovery Services vaults This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2024-02-27 19:10:20 BuiltIn
VirtualEnclaves 7809fda1-ba27-48c1-9c63-1f5aee46ba89 Storage Accounts should restrict network access through network ACL bypass configuration only. To improve the security of Storage Accounts, enable access only through network ACL bypass. This policy should be used in combination with a private endpoint for storage account access. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-27 19:10:20 BuiltIn
Healthcare APIs 14961b63-a1eb-4378-8725-7e84ca8db0e6 DICOM Service should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services DICOM Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-02-27 19:10:20 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (3.1.0 > 3.2.0) 2024-02-27 19:10:20 BuiltIn
VirtualEnclaves 41a72361-06e3-4e80-832a-690bd0708bc1 Configure Storage Accounts to restrict network access through network ACL bypass configuration only. To improve the security of Storage Accounts, enable access only through network ACL bypass. This policy should be used in combination with a private endpoint for storage account access. Default
Modify
Allowed
Modify, Disabled 		count: 001
Storage Account Contributor
add
 new Policy 2024-02-27 19:10:20 BuiltIn
Resilience 682e4ab9-59fe-4871-9839-265b54c568c4 [Preview]: Public IP addresses should be Zone Resilient Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Resilience 493c215c-0553-4976-bc81-57d2c04fc8c1 [Preview]: Application Gateways should be Zone Resilient Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.1.0 > 2.2.0) 2024-02-20 22:44:08 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Resilience 42daa901-5969-47ef-92cb-b75df946195a [Preview]: Load Balancers should be Zone Resilient Load Balancers with a sku other than Basic inherit the resilience of the Public IP addresses in their frontend. When combined with the 'Public IP addresses should be Zone Resilient' policy, this approach ensures the necessary redundancy to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience 18314dc7-a25d-420c-a069-f094b25ff919 [Preview]: NAT gateway should be Zone Aligned NAT gateway can be configured to be Zone Aligned or not. NAT gateway that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an NAT gateway is configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (9.1.1 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Extension for SQL Server Deployment
change
 Patch, new suffix: deprecated (3.4.0 > 3.4.1-deprecated) 2024-02-20 22:44:08 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.5.0 > 3.6.0) 2024-02-20 22:44:08 BuiltIn
Resilience 493c215d-2553-4976-bc81-57d2c04fc8c1 [Preview]: Azure Database for PostgreSQL Flexible Server should be Zone Resilient Azure Database for PostgreSQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. PostgreSQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, PostgreSQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 90bc8109-d21a-4692-88fc-51419391da3d [Preview]: Azure AI Search Service should be Zone Redundant Azure AI Search Service can be configured to be Zone Redundant or not. Availability zones are used when you add two or more replicas to your search service. Each replica is placed in a different availability zone within the region. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.1.0 > 6.2.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.1.0 > 3.2.0) 2024-02-20 22:44:08 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.1.0 > 9.2.0) 2024-02-20 22:44:08 BuiltIn
Azure Ai Services 71ef260a-8f18-47b7-abcb-62d0673d94dc Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2024-02-20 22:44:08 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.3-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Kubernetes 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience ae243d87-5cf3-4dce-90bd-6d62be328de3 [Preview]: Backup and Site Recovery should be Zone Redundant Backup and Site Recovery can be configured to be Zone Redundant or not. Backup and Site Recovery is Zone Redundant if it's 'standardTierStorageRedundancy' property is set to 'ZoneRedundant'. Enforcing this policy helps ensure that Backup and Site Recovery is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-02-20 22:44:08 BuiltIn
Resilience f58e8c0a-3c79-431a-abf8-cd1b895478e8 [Preview]: Container Instances should be Zone Aligned Container Instances can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 4bd1f3c0-9443-49ad-b8bc-7c17a92b5924 [Preview]: Backup Vaults should be Zone Redundant Backup Vaults can be configured to be Zone Redundant or not. Backup Vaults are Zone Redundant if it's storage settings type is set to 'ZoneRedundant' and they are considered to be resilient. Geo Redundant or Locally Redundant Backup Vaults are not considered resilient. Enforcing this policy helps ensure that Backup Vaults are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Resilience bf45a74c-ed4f-4300-8afe-d6f0abdfe75b [Preview]: Azure HDInsight should be Zone Aligned Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 493c215d-2554-5976-bc81-57d2c04fc8c1 [Preview]: Azure Database for MySQL Flexible Server should be Zone Resilient Azure Database for MySQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. MySQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, MySQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 42daa904-5969-47ef-92fb-b75df946195a [Preview]: Container App should be Zone Redundant Container App can be configured to be Zone Redundant or not. A Container App is Zone Redundant if its managed environment's 'ZoneRedundant' property is set to true. This policy identifies Container App lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Minor (4.5.0 > 4.7.0) 2024-02-20 22:44:08 BuiltIn
Resilience 18314dc7-a25d-420c-a069-f094b25ff91b [Preview]: Firewalls should be Zone Resilient Firewalls can be configured to be either Zone Aligned, Zone Redundant, or neither. Firewalls that have exactly one entry in its zones array are considered Zone Aligned. In contrast, Firewalls with 3 or more entries in its zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-02-20 22:44:08 BuiltIn
Resilience 42daa904-5969-47ef-92cb-b75df946195a [Preview]: API Management Service should be Zone Redundant API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2024-02-20 22:44:08 BuiltIn
Azure Ai Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.0.0 > 3.1.0) 2024-02-20 22:44:08 BuiltIn
Network 3e9965dc-cc13-47ca-8259-a4252fd0cf7b Configure virtual network to enable Flow Log and Traffic Analytics Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.1.0 > 1.1.1) 2024-02-13 19:27:15 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-02-13 19:27:15 BuiltIn
Key Vault 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 Azure Key Vault should use RBAC permission model Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-02-13 19:27:15 BuiltIn
Network cd6f7aff-2845-4dab-99f2-6d1754a754b0 Deploy a Flow Log resource with target virtual network Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.1.0 > 1.1.1) 2024-02-13 19:27:15 BuiltIn
Monitoring 6bb23bce-54ea-4d3d-b07d-628ce0f2e4e3 Enable logging by category group for Workspace (microsoft.desktopvirtualization/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Workspace (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Security Center d38668f5-d155-42c7-ab3d-9b57b50f8fbf Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers Audit PostgreSQL flexible servers without Advanced Data Security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring 6f95136f-6544-4722-a354-25a18ddb18a7 Enable logging by category group for Host pool (microsoft.desktopvirtualization/hostpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Host pool (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Backup 4510daf9-5abc-4d7d-a11d-d84416b814f6 [Preview]: Azure Backup should be enabled for Blobs in Storage Accounts Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Backup a25a41a7-a769-4271-841d-7ce0297be0c0 [Preview]: Azure Backup should be enabled for Managed Disks Ensure protection of your Managed Disks by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring a4490248-cb97-4504-b7fb-f906afdb7437 Enable logging by category group for Firewall (microsoft.network/azurefirewalls) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewall (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.1.0 > 1.1.1) 2024-02-13 19:27:15 BuiltIn
Key Vault 0a075868-4c26-42ef-914c-5bc007359560 Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, old suffix: preview (2.2.0-preview > 2.2.1) 2024-02-13 19:27:15 BuiltIn
Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, old suffix: preview (2.1.0-preview > 2.1.1) 2024-02-13 19:27:15 BuiltIn
Monitoring 3aa571d2-2e4f-4e92-8a30-4312860efbe1 Enable logging by category group for Application group (microsoft.desktopvirtualization/applicationgroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Application group (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Security Center f9e2bd2f-47c7-4059-8265-c5292aa62c8a Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_EXCLUDE_LINUX...) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_EXCLUDE_LINUX_...), for enabling auto provisioning of MDE for Linux servers. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Backup 0b0434ec-2bad-4229-965f-bb7ae5a71257 [Preview]: Azure Backup should be enabled for AKS clusters Ensure protection of your AKS Clusters by enabling Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring e9c22e0d-1f03-44da-a9d5-a9754ea53dc4 Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Function App (microsoft.web/sites). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.4.0 > 3.5.0) 2024-02-13 19:27:15 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview) 2024-02-13 19:27:15 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.4.0 > 3.5.0) 2024-02-13 19:27:15 BuiltIn
Monitoring 45c6bfc7-4520-4d64-a158-730cd92eedbc Enable logging by category group for Azure Cosmos DB (microsoft.documentdb/databaseaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring 244bcb20-b194-41f3-afcc-63aef382b64c Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics (Virtual Enclaves) Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Security Center 48666c5d-cec1-4043-ab6b-1be05abb24f2 Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_UNIFIED_SOLUTION) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_UNIFIED_SOLUTION), for enabling auto provisioning of MDE Unified Agent for Windows Server 2012R2 and 2016. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Backup fda9cd0b-094c-4cd5-ac2a-5e06e5277c45 [Preview]: Azure Backup Extension should be installed in AKS clusters Ensure protection installation of backup extension in your AKS Clusters to leverage Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring c0d8e23a-47be-4032-961f-8b0ff3957061 Enable logging by category group for App Service (microsoft.web/sites) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service (microsoft.web/sites). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.3.0 > 3.4.0) 2024-02-13 19:27:15 BuiltIn
Monitoring cdd1dbc6-0004-4fcd-afd7-b67550de37ff Enable logging by category group for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2024-02-13 19:27:15 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-02-13 19:27:15 BuiltIn
Security Center da56d295-2889-41ce-a4cd-6f50fb93aa68 Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP) Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP), for Windows downlevel machines onboarded to MDE via MMA, and auto provisioning of MDE on Windows Server 2019 , Windows Virtual Desktop and above. Must be turned on in order for the other settings (WDATP_UNIFIED, etc.) to work. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2024-02-13 19:27:15 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.3.0 > 3.4.0) 2024-02-13 19:27:15 BuiltIn
Security Center Deploy-MDFC-SQL-DefenderSQL-DCR [Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn		 2024-02-05 19:33:54 ALZ
Security Center Deploy-MDFC-SQL-DefenderSQL-DCR [Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn		 2024-01-31 19:57:15 ALZ
Security Center 72f8cee7-2937-403d-84a1-a4e3e57f3c21 Configure Microsoft Defender CSPM plan Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
add
 new Policy 2024-01-31 19:57:15 BuiltIn
Security Center Deploy-MDFC-SQL-AMA [Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy

Superseded by: Configure SQL Virtual Machines to automatically install Azure Monitor Agent (f91991d1-5383-4c95-8ee5-5ac423dd8bb1) BuiltIn		 2024-01-31 19:57:15 ALZ
Security Center 5eb6d64a-4086-4d7a-92da-ec51aed0332d Configure Microsoft Defender for Servers plan New capabilities are continuously being added to Defender for Servers, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
add
 new Policy 2024-01-31 19:57:15 BuiltIn
Managed Identity Deploy-UserAssignedManagedIdentity-VMInsights [Deprecated]: Deploy User Assigned Managed Identity for VM Insights Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2024-01-31 19:57:15 ALZ
Security Center 17bc14a7-92e1-4551-8b8c-80f36953e166 Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) Microsoft Defender for Storage provides Azure-native threat detection for storage accounts. This policy enables basic features (Activity Monitoring). For full protection, including Malware Scanning and Sensitive Data Discovery, use aka.ms/DFStoragePolicy. Major version update: PerTransaction is no longer supported for new enablements after Feb 5, 2025. Existing accounts using it remain supported. Learn more: aka.ms/DF-Storage/NewPlanMigration. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Minor (1.0.2 > 1.1.0) 2024-01-31 19:57:15 BuiltIn
Security Center Deploy-MDFC-Arc-SQL-DCR-Association [Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy

Superseded by: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR (2227e1f1-23dd-4c3a-85a9-7024a401d8b2) BuiltIn		 2024-01-31 19:57:15 ALZ
Security Center 1f725891-01c0-420a-9059-4fa46cb770b7 Configure Microsoft Defender for Key Vault plan Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Minor (1.0.2 > 1.1.0) 2024-01-31 19:57:15 BuiltIn
Security Center Deploy-MDFC-SQL-DefenderSQL [Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL (ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) BuiltIn		 2024-01-31 19:57:15 ALZ
Monitoring Deploy-Diagnostics-MariaDB [Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-01-31 19:57:15 ALZ
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) 2024-01-31 19:57:15 BuiltIn
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. Default
Deny
Allowed
Audit, Deny, Disabled
change
 Patch (2.1.0 > 2.1.1)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)		 2024-01-31 19:57:15 ALZ
Security Center b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Minor (1.0.2 > 1.1.0) 2024-01-31 19:57:15 BuiltIn
Security Center Deploy-MDFC-Arc-Sql-DefenderSQL-DCR [Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy

Superseded by: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (63d03cbd-47fd-4ee1-8a1c-9ddf07303de0) BuiltIn		 2024-01-31 19:57:15 ALZ
Security Center efd4031d-b232-4595-babf-ae817348e91b Configure Microsoft Defender for Containers plan New capabilities are continuously being added to Defender for Containers plan, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
add
 new Policy 2024-01-31 19:57:15 BuiltIn
SQL 78215662-041e-49ed-a9dd-5385911b3a1f Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
Synapse 738949be-6fd2-46b9-b969-99b53712b192 Configure Synapse Workspaces to use only Microsoft Entra identities for authentication Require and reconfigure Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled and re-enables Microsoft Entra-only authentication on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2024-01-24 19:15:51 BuiltIn
Key Vault d3e82b87-6673-410b-8501-1896b688b9a3 [Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-01-24 19:15:51 BuiltIn
Synapse 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Minor (4.4.1 > 4.5.0) 2024-01-24 19:15:51 BuiltIn
Stack HCI 56c47221-b8b7-446e-9ab7-c7c9dc07f0ad [Deprecated]: Azure Stack HCI servers should meet Secured-core requirements This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/5e6bf724-0154-49bc-985f-27b2e07e636b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
 new Policy 2024-01-24 19:15:51 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.4.1 > 3.5.0) 2024-01-24 19:15:51 BuiltIn
Synapse c3624673-d2ff-48e0-b28c-5de1c6767c3c Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (3.9.1 > 3.10.0) 2024-01-24 19:15:51 BuiltIn
Backup c7031eab-0fc0-4cd9-acd0-4497bd66d91a [Preview]: Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults. This policy audits if Multi-User Authorization (MUA) is enabled for Recovery Services Vaults. MUA helps in securing your Recovery Services Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/MUAforRSV. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-01-24 19:15:51 BuiltIn
Stack HCI ae95f12a-b6fd-42e0-805c-6b94b86c9830 [Deprecated]: Azure Stack HCI systems should have encrypted volumes This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
 new Policy 2024-01-24 19:15:51 BuiltIn
SQL b3a22bc9-66de-45fb-98fa-00f5df42f41a Azure SQL Database should have Microsoft Entra-only authentication enabled Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-01-24 19:15:51 BuiltIn
SQL abda6d70-9778-44e7-84a8-06713e6db027 Azure SQL Database should have Microsoft Entra-only authentication enabled during creation Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.1.0 > 1.2.0) 2024-01-24 19:15:51 BuiltIn
SQL 0c28c3fb-c244-42d5-a9bf-f35f2999577b Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-01-24 19:15:51 BuiltIn
Stack HCI aee306e7-80b0-46f3-814c-d3d3083ed034 [Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/36f0d6bc-a253-4df8-b25b-c3a5023ff443. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
 new Policy 2024-01-24 19:15:51 BuiltIn
Synapse 6ea81a52-5ca7-4575-9669-eaa910b7edf8 Synapse Workspaces should have Microsoft Entra-only authentication enabled Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-01-24 19:15:51 BuiltIn
Stack HCI 7384fde3-11b0-4047-acbd-b3cf3cc8ce07 [Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/dad3a6b9-4451-492f-a95c-69efc6f3fada. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Disabled
add
 new Policy 2024-01-24 19:15:51 BuiltIn
Backup c58e083e-7982-4e24-afdc-be14d312389e [Preview]: Multi-User Authorization (MUA) must be enabled for Backup Vaults. This policy audits if Multi-User Authorization (MUA) is enabled for Backup Vaults. MUA helps in securing your Backup Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/mua-for-bv. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing 080fedce-9d4a-4d07-abf0-9f036afbc9c8 Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) that have the selected tag name and tag value(s). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing 1b8c0040-b224-4ea1-be6a-47254dd5a207 Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources (resource level) Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) in the selected scope (subscription or resource group). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 [Preview]: Linux machines should meet STIG compliance requirement for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify 		count: 001
Contributor
change
 Minor (4.0.0 > 4.1.0) 2024-01-22 17:47:54 BuiltIn
Security Center 2a6ae02f-7590-40d7-88ba-b18e205a32fd Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.1.0 > 2.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-01-22 17:47:54 BuiltIn
Guest Configuration e79ffbda-ff85-465d-ab8e-7e58a557660f [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
SQL 80ed5239-4122-41ed-b54a-6f1fa7552816 Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (4.1.0 > 4.2.0) 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest 83a0809a-a4e3-4ef2-8a24-2afc156607af [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest 98cec160-6f57-4d11-86e2-0a03290a3a8a [Deprecated]: Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration f40c7c00-b4e3-4068-a315-5fe81347a904 [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) 2024-01-22 17:47:54 BuiltIn
ElasticSan 6a92fe1f-0b86-44ae-843d-2db3d2b571ae ElasticSan should disable public network access Disable public network access for your ElasticSan so that it's not accessible over the public internet. This can reduce data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify 		count: 001
Contributor
change
 Minor (4.0.0 > 4.1.0) 2024-01-22 17:47:54 BuiltIn
SQL db048e65-913c-49f9-bb5f-1084184671d3 Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.1.0 > 3.2.0) 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest 85793e88-5a58-4555-93fa-4df63c86ae9c [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. Only deploy Registry Models in the allowed Registry and that are not restricted. Default
Disabled
Allowed
Deny, Disabled
add
 new Policy 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest fa8af49a-f61d-4f56-9138-46b77d37df43 [Deprecated]: Keys should have a rotation policy within the specified number of days after creation. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing 9e4879d9-c2a0-4e40-8017-1a5a5327c843 Configure Azure Defender for Servers to be enabled ('P1' subplan) for all resources (resource level) with the selected tag Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) that have the selected tag name and tag value(s). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.1.0 > 2.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2024-01-22 17:47:54 BuiltIn
Security Center - Granular Pricing f6ff485a-7630-4730-854d-cd3ad855435e Configure Azure Defender for Servers to be disabled for all resources (resource level) Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) in the selected scope (subscription or resource group). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
Guest Configuration fad40cac-a972-4db0-b204-f1b15cced89a Local authentication methods should be disabled on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-01-22 17:47:54 BuiltIn
BuiltInPolicyTest f8d398ae-0441-4921-a341-40f3973d4647 [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Disabled
Allowed
Deny, Disabled
add
 new Policy 2024-01-22 17:47:54 BuiltIn
ElasticSan 1abc5157-29f8-4dbd-b28e-ff99526cb8b7 ElasticSan Volume Group should use private endpoints Private endpoints lets administrator connect virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to volume group, administrator can reduce data leakage risks Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-01-22 17:47:54 BuiltIn
Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (4.1.0 > 4.2.0) 2024-01-22 17:47:54 BuiltIn
SQL a6cf7411-da9e-49e2-aec0-cba0250eaf8c Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.1.0 > 1.2.0) 2024-01-22 17:47:54 BuiltIn
Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.1.0-deprecated > 1.2.0-deprecated) 2024-01-22 17:47:54 BuiltIn
Security Center 090c7b07-b4ed-4561-ad20-e9075f3ccaff Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
Security Center a7aca53f-2ed4-4466-a25e-0b45ade68efd Azure DDoS Protection should be enabled DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (3.0.0 > 3.0.1) 2024-01-12 18:35:06 BuiltIn
Network cd6f7aff-2845-4dab-99f2-6d1754a754b0 Deploy a Flow Log resource with target virtual network Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
VirtualEnclaves ead33d15-8ff9-44d8-be85-24144ecc859e Do not allow creation of resource types outside of the allowlist This policy prevents deployment of resource types outside of the explicitly allowed types, in order to maintain security in a virtual enclave. https://aka.ms/VirtualEnclaves Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-01-12 18:35:06 BuiltIn
Monitoring 752154a7-1e0f-45c6-a880-ac75a7e4f648 Public IP addresses should have resource logs enabled for Azure DDoS Protection Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Key Vault a22f4a40-01d3-4c7d-8071-da157eeff341 Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (2.1.0 > 2.1.1) 2024-01-12 18:35:06 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.1 > 1.2.0) 2024-01-12 18:35:06 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.2.2 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.2.2 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor (1.2.2 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Security Center c6283572-73bb-4deb-bf2c-7a2b8f7462cb SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: https://aka.ms/SQLAMAMigration Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2024-01-12 18:35:06 BuiltIn
VirtualEnclaves 337ef0ec-0703-499e-a57c-b4155034e606 Do not allow creation of specified resource types or types under specific providers The resource providers and types specified via parameter list are not allowed to be created without explicit approval from the security team. If an exemption is granted to the policy assignment, the resource can be leveraged within the enclave. https://aka.ms/VirtualEnclaves Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-01-12 18:35:06 BuiltIn
Security Center 2370a3c1-4a25-4283-a91a-c9c1a145fb2f [Deprecated]: Configure Azure Defender for DNS to be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Minor, new suffix: deprecated (1.0.2 > 1.1.0-deprecated) 2024-01-12 18:35:06 BuiltIn
Security Center 5f0f936f-2f01-4bf5-b6be-d423792fa562 [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.1 > 2.0.2) 2024-01-12 18:35:06 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.2 > 1.0.3) 2024-01-12 18:35:06 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.2.1 > 1.3.0) 2024-01-12 18:35:06 BuiltIn
Security Center bdc59948-5574-49b3-bb91-76b7c986428d [Deprecated]: Azure Defender for DNS should be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 4da35fc9-c9e7-4960-aec9-797fe7d9051d. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-01-12 18:35:06 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.2 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Minor (1.0.3 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
Network 4c3c6c5f-0d47-4402-99b8-aa543dd8bcee Audit flow logs configuration for every virtual network Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
VirtualEnclaves f3a7bbfd-a810-47a6-b5ba-8e17d8cffb96 Network interfaces should be connected to an approved subnet of the approved virtual network This policy blocks network interfaces from connecting to a virtual network or subnet that is not approved. https://aka.ms/VirtualEnclaves Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2024-01-12 18:35:06 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.3.1 > 1.4.0) 2024-01-12 18:35:06 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.1.2 > 1.2.0) 2024-01-12 18:35:06 BuiltIn
Security Center 17f4b1cc-c55c-4d94-b1f9-2978f6ac2957 Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Network 3e9965dc-cc13-47ca-8259-a4252fd0cf7b Configure virtual network to enable Flow Log and Traffic Analytics Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2024-01-12 18:35:06 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.1.2 > 1.2.0) 2024-01-12 18:35:06 BuiltIn
Network 94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d Virtual networks should be protected by Azure DDoS Protection Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. Default
Modify
Allowed
Modify, Audit, Disabled 		count: 001
Network Contributor
change
 Patch (1.0.0 > 1.0.1) 2024-01-12 18:35:06 BuiltIn
Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.2.0 > 2.3.0) 2024-01-12 18:35:06 BuiltIn
Backup 31b8092a-36b8-434b-9af7-5ec844364148 [Preview]: Soft delete must be enabled for Recovery Services Vaults. This policy audits if soft delete is enabled for Recovery Services Vaults in the scope. Soft delete can help you recover your data even after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2024-01-12 18:35:06 BuiltIn
Guest Configuration ec2c1bce-5ad3-4b07-bb4f-e041410cd8db [Preview]: Nexus Compute Machines should meet Security Baseline Utilizes the Azure Policy Guest Configuration agent for auditing. This policy ensures that machines adhere to the Nexus compute security baseline, encompassing various recommendations designed to fortify machines against a range of vulnerabilities and unsafe configurations (Linux only). Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-01-05 19:11:18 BuiltIn
Backup 8f09fda1-91a2-4e14-96a2-67c6281158f7 [Preview]: Do not allow creation of Recovery Services vaults of chosen storage redundancy. Recovery Services vaults can be created with any one of three storage redundancy options today, namely, Locally-redundant Storage, Zone-redundant storage and Geo-redundant storage. If the policies in your organization requires you to block the creation of vaults that belong to a certain redundancy type, you may achieve the same using this Azure policy. Default
Deny
Allowed
Deny, Disabled
add
 new Policy 2023-12-19 19:28:10 BuiltIn
ElasticSan 7698f4ed-80ce-4e13-b408-ee135fa400a5 ElasticSan Volume Group should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your VolumeGroup. By default, customer data is encrypted with platform-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-12-14 19:23:04 BuiltIn
Security Center 2a6ae02f-7590-40d7-88ba-b18e205a32fd Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-12-14 19:23:04 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (9.1.0 > 9.1.1) 2023-12-14 19:23:04 BuiltIn
Guest Configuration 14b4e776-9fab-44b0-b53f-38d2458ea8be [Preview]: Extended Security Updates should be installed on Windows Server 2012 Arc machines. Windows Server 2012 Arc machines should have installed all the Extended Security Updates released by Microsoft. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 682e4ab9-59fe-4871-9839-265b54c568c4 [Preview]: Public IP addresses should be Zone Resilient Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Network ebea0d86-7fbd-42e3-8a46-27e7568c2525 Bot Protection should be enabled for Azure Application Gateway WAF This policy ensures that bot protection is enabled in all Azure Application Gateway Web Application Firewall (WAF) policies Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
SQL db048e65-913c-49f9-bb5f-1084184671d3 Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2023-12-08 20:47:07 BuiltIn
App Service cf9ca02d-383e-4506-a421-258cc1a5300d [Deprecated]: Function app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2023-12-08 20:47:07 BuiltIn
165a4137-c3ed-4fd0-a17f-1c8a80266580 n/a n/a
remove
 165a4137-c3ed-4fd0-a17f-1c8a80266580 2023-12-08 20:47:07 (i) BuiltIn
App Service 5b0bd968-5cb5-4513-8987-27786c6f0df8 App Service app slots should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
App Service 2f7c08c2-f671-4282-9fdb-597b6ef2c10d [Deprecated]: App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
 Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2023-12-08 20:47:07 BuiltIn
SQL 80ed5239-4122-41ed-b54a-6f1fa7552816 Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2023-12-08 20:47:07 BuiltIn
Resilience da8a2248-6b4a-44a7-96bf-bf1c0dd208c3 [Preview]: Virtual network gateways should be Zone Redundant Virtual network gateways can be configured to be Zone Redundant or not. Virtual network gateways whose SKU name or tier does not end with 'AZ' are not Zone Redundant. This policy identifies Virtual network gateways lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Machine Learning 19539b54-c61e-4196-9a38-67598701be90 [Preview]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry Only deploy Registry Models in the allowed Registry and that are not restricted. Fixed
[parameters('effect')]
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Resilience ae243d87-5cf3-4dce-90bd-6d62be328de9 [Preview]: Event Hubs should be Zone Redundant Event Hubs can be configured to be Zone Redundant or not. Event Hubs are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 344ea7ca-2ba8-4d68-859b-317239714b2c [Preview]: Managed Disks should be Zone Resilient Managed Disks can be configured to be either Zone Aligned, Zone Redundant, or neither. Managed Disks with exactly one zone assignment are Zone Aligned. Managed Disks with a sku name that ends in ZRS are Zone Redundant. This policy assists in identifying and enforcing these resilience configurations for Managed Disks. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 2dec5f47-bc40-40d1-8c7d-a39d9d6808d1 [Preview]: Azure Kubernetes Service Managed Clusters should be Zone Redundant Azure Kubernetes Service Managed Clusters can be configured to be Zone Redundant or not. The policy checks the node pools in the cluster and ensures that avaialbilty zones are set for all the node pools. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Resilience bdd8bbb2-1efd-48dc-a0fd-8ddcba2e96cd [Preview]: Azure Managed Grafana should be Zone Redundant Azure Managed Grafana can be configured to be Zone Redundant or not. An Azure Managed Grafana instance is Zone Redundant is it's 'zoneRedundancy' property is set to 'Enabled'. Enforcing this policy helps ensure that your Azure Managed Grafana is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Resilience f16a3ca9-b57a-4392-b660-4c1f8442aa8d [Preview]: SQL Elastic database pools should be Zone Redundant SQL Elastic database pools can be configured to be Zone Redundant or not. SQL Elastic database pools are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Network ff1f1879-a60d-4f23-9641-41e7391ec19a Azure Application Gateway should be deployed with Azure WAF Requires Azure Application Gateway resources to be deployed with Azure WAF. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
App Service eaebaea7-8013-4ceb-9d14-7eb32271373c [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2023-12-08 20:47:07 BuiltIn
App Service 5bb220d9-2698-4ee4-8404-b9c30c9df609 [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
 Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2023-12-08 20:47:07 BuiltIn
Resilience 075896de-f4f8-465b-b6d8-9e73725bb62d [Preview]: Service Fabric Clusters should be Zone Redundant Service Fabric Clusters can be configured to be Zone Redundant or not. Servicefabric Clusters whose nodeType do not have the multipleAvailabilityZones set to true are not Zone Redundant. This policy identifies Servicefabric Clusters lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
App Service 153ab4ca-2d58-4b5d-9134-6d8c6bdd321c Function app slots should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
App Service ab6a902f-9493-453b-928d-62c30b11b5a6 Function apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
App Service 19dd1db6-f442-49cf-a838-b0786b4401ef App Service apps should have Client Certificates (Incoming client certificates) enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
BuiltInPolicyTest 36fd7371-8eb7-4321-9c30-a7100022d048 Requires resources to not have a specific tag. This is a versioning test built-in. Denies the creation of a resource that contains the given tag. Does not apply to resource groups. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.1 > 2.0.0) 2023-12-08 20:47:07 BuiltIn
Resilience 0fc92280-604b-4f23-9e04-5ef98d1a28df [Preview]: SQL Managed Instances should be Zone Redundant SQL Managed Instances can be configured to be Zone Redundant or not. Instances with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL managedInstances that need zone redundancy configuration to enhance availability and resilience within Azure. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 2dba5c7e-12a4-4be8-b208-f59bc49e88c2 [Preview]: Public IP Prefixes should be Zone Resilient Public IP Prefixes can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP prefixes that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP prefixes with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 22888755-d824-4e43-8e0b-42d481836554 [Preview]: App Service Plans should be Zone Redundant App Service Plans can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for an App Service Plan, it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for App Service Plans. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
SQL a6cf7411-da9e-49e2-aec0-cba0250eaf8c Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2023-12-08 20:47:07 BuiltIn
Network 27f7fb01-5fdb-44ad-954c-d582f8659533 Bot Protection should be enabled for Azure Front Door WAF This policy ensures that bot protection is enabled in all Azure Front Door Web Application Firewall (WAF) policies Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
API Management 1dc2fc00-2245-4143-99f4-874c937f13ef Azure API Management platform version should be stv2 Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024 Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Resilience 6221cac0-bb8d-40f4-9535-5d03f713f054 [Preview]: SQL Databases should be Zone Redundant SQL Databases can be configured to be Zone Redundant or not. Databases with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL databases that need zone redundancy configuration to enhance availability and resilience within Azure. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-12-08 20:47:07 BuiltIn
Security Center 308fbb08-4ab8-4e67-9b29-592e93fb94fa [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, new suffix: deprecated (1.0.4 > 1.1.0-deprecated) 2023-12-04 18:38:36 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2023-12-04 18:38:36 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-11-17 19:29:28 BuiltIn
SQL b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 A Microsoft Entra administrator should be provisioned for PostgreSQL servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Event Grid cd8f7644-6fe8-4516-bded-0e465ead03ac Azure Event Grid namespace MQTT broker should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-11-17 19:29:28 BuiltIn
Azure Arc 4864134f-d306-4ff5-94d8-ea4553b18c97 [Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended. Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected even after their support lifecycle has ended. Learn How to prepare to deliver Extended Security Updates for Windows Server 2012 through AzureArc please visit https://learn.microsoft.com/en-us/azure/azure-arc/servers/prepare-extended-security-updates. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Guest Configuration Resource Contributor
Hybrid Server Resource Administrator
add
 new Policy 2023-11-17 19:29:28 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, old suffix: preview (1.1.0-preview > 1.1.1) 2023-11-17 19:29:28 BuiltIn
SQL 40e85574-ef33-47e8-a854-7a65c7500560 Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, old suffix: preview (1.0.1-preview > 1.0.2) 2023-11-17 19:29:28 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, old suffix: preview (1.2.0-preview > 1.2.1) 2023-11-17 19:29:28 BuiltIn
Event Grid 67dcad1a-ec60-45df-8fd0-14c9d29eeaa2 Azure Event Grid namespaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-11-17 19:29:28 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Event Grid 1301a000-bc6b-4d90-8414-7091e3abdc40 Azure Event Grid namespace topic broker should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-11-17 19:29:28 BuiltIn
Event Grid 2b21ce34-9c45-4037-9c84-0ac0dbd0095f Configure Azure Event Grid namespaces with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
EventGrid Contributor
Network Contributor
add
 new Policy 2023-11-17 19:29:28 BuiltIn
Event Hub 5d4e3c65-4873-47be-94f3-6f8b953a3598 Azure Event Hub namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
SQL 146412e9-005c-472b-9e48-c87b72ac229e A Microsoft Entra administrator should be provisioned for MySQL servers Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.1.0 > 1.1.1) 2023-11-17 19:29:28 BuiltIn
Service Bus 910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e Configure Azure Service Bus namespaces to disable local authentication Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. Default
Modify
Allowed
Modify, Disabled 		count: 001
Azure Service Bus Data Owner
change
 Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Guest Configuration ec2c1bce-5ad3-4b07-bb4f-e041410cd8db [Preview]: Nexus Compute Machines should meet Security Baseline Utilizes the Azure Policy Guest Configuration agent for auditing. This policy ensures that machines adhere to the Nexus compute security baseline, encompassing various recommendations designed to fortify machines against a range of vulnerabilities and unsafe configurations (Linux only). Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-11-17 19:29:28 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-11-17 19:29:28 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-11-17 19:29:28 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, old suffix: preview (1.3.0-preview > 1.3.1) 2023-11-17 19:29:28 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-11-17 19:29:28 BuiltIn
Service Bus cfb11c26-f069-4c14-8e36-56c394dae5af Azure Service Bus namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
Azure Arc 4c660f31-eafb-408d-a2b3-6ed2260bd26c [Preview]: Deny Extended Security Updates (ESUs) license creation or modification. This policy enables you to restrict the creation or modification of ESU licenses for Windows Server 2012 Arc machines. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing Default
Deny
Allowed
Deny, Disabled
add
 new Policy 2023-11-17 19:29:28 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-11-17 19:29:28 BuiltIn
Event Grid cddcbb7e-a7b1-4380-b4d8-45cf77b0d561 Configure Azure Event Grid namespace MQTT broker with private endpoints Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
EventGrid Contributor
Network Contributor
add
 new Policy 2023-11-17 19:29:28 BuiltIn
Event Hub 57f35901-8389-40bb-ac49-3ba4f86d889d Configure Azure Event Hub namespaces to disable local authentication Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default
Modify
Allowed
Modify, Disabled 		count: 001
Azure Event Hubs Data Owner
change
 Patch (1.0.0 > 1.0.1) 2023-11-17 19:29:28 BuiltIn
General e624c84f-2923-4437-9fd9-4115c6da3888 Configure subscriptions to set up preview features This policy evaluates existing subscription's preview features. Subscriptions can be remediated to register to a new preview feature. New subscriptions will not be automatically registered. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-11-14 18:14:48 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch, suffix remains equal (1.0.2-deprecated > 1.0.3-deprecated) 2023-11-14 18:14:48 BuiltIn
SQL Server f692cc79-76fb-4c61-8861-467e454ac6f8 Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates. Subscribe eligible Arc-enabled SQL Servers instances with License Type set to Paid or PAYG to Extended Security Updates. More on extended security updates https://go.microsoft.com/fwlink/?linkid=2239401. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Extension for SQL Server Deployment
Reader
add
 new Policy 2023-11-14 18:14:48 BuiltIn
Kubernetes ca8d5704-aa2b-40cf-b110-dc19052825ad Kubernetes clusters should minimize wildcard use in role and cluster role Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-11-14 18:14:48 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (3.0.0-deprecated > 3.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center c15c5978-ab6e-4599-a1c3-90a7918f5371 [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (1.0.3 > 1.0.4) 2023-11-08 19:40:08 BuiltIn
Security Center aba46665-c3a7-4319-ace1-a0282deebac2 [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center 3b1a8e0a-b2e1-48be-9365-28be2fbef550 [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (5.2.0-deprecated > 5.2.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated) 2023-11-08 19:40:08 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) 2023-11-08 19:40:08 BuiltIn
Security Center 8ac833bd-f505-48d5-887e-c993a1d3eea0 API endpoints in Azure API Management should be authenticated API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-11-06 19:40:47 BuiltIn
Kubernetes 5c345cdf-2049-47e0-b8fe-b0e96bc2df35 Azure Kubernetes Service Clusters should enable cluster auto-upgrade AKS cluster auto-upgrade can ensure your clusters are up to date and don't miss the latest features or patches from AKS and upstream Kubernetes. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-cluster. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 85b005b2-95fc-4953-b9cb-f9ee6427c754 [Preview]: Storage Accounts should be Zone Redundant Storage Accounts can be configured to be Zone Redundant or not. If a Storage Account's SKU name does not end with 'ZRS' or its kind is 'Storage,' it is not Zone Redundant. This policy ensures that your Storage Accounts use ae Zone Redundant configuration. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 42daa904-5969-47ef-92cb-b75df946195a [Preview]: API Management Service should be Zone Redundant API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-11-06 19:40:47 BuiltIn
Security Center c8acafaf-3d23-44d1-9624-978ef0f8652c API endpoints that are unused should be disabled and removed from the Azure API Management service As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-11-06 19:40:47 BuiltIn
Kubernetes a3dc4946-dba6-43e6-950d-f96532848c9f Kubernetes clusters should ensure that the cluster-admin role is only used where required The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 9d2b0a20-57d6-474c-9d12-44a4a20999c6 [Preview]: Container Registry should be Zone Redundant Container Registry can be configured to be Zone Redundant or not. When the zoneRedundancy property for a Container Registry is set to 'Disabled', it means the registry is not Zone Redundant. Enforcing this policy helps ensure that your Container Registry is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-11-06 19:40:47 BuiltIn
Resilience d3ee5dcf-0c6d-49ab-aee4-f250583a7bdc [Preview]: Service Bus should be Zone Redundant Service Bus can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for a Service Bus, it means it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for Service Bus instances. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-11-06 19:40:47 BuiltIn
Resilience 1bf67da8-b100-45bf-b89d-e4669fc54411 [Preview]: Azure Cache for Redis should be Zone Redundant Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array or zonalAllocationPolicy is set to 'NoZones' or the sku is 'Basic' are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-11-06 19:40:47 BuiltIn
Resilience cbe58ab0-07a8-43ea-9ccc-8ea33e4d6aa5 [Preview]: Azure Data Explorer Clusters should be Zone Redundant Azure Data Explorer Clusters can be configured to be Zone Redundant or not. An Azure Data Explorer Cluster is considered Zone Redundant if it has at least two entries in its zones array. This policy helps ensure the your Azure Data Explorer Clusters are Zone Redundant. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-11-06 19:40:47 BuiltIn
SQL c9299215-ae47-4f50-9c54-8a392f68a052 Public network access should be disabled for MySQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-11-06 19:40:47 BuiltIn
Security Center 7926a6d1-b268-4586-8197-e8ae90c877d7 Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, old suffix: preview (1.0.2-preview > 1.0.3) 2023-11-06 19:40:47 BuiltIn
Resilience 408934a8-941a-4c1e-ba88-dd035d9688f4 [Preview]: Azure Cache for Redis Enterprise & Flash should be Zone Redundant Azure Cache for Redis Enterprise & Flash can be configured to be Zone Redundant or not. Azure Cache for Redis Enterprise & Flash instances with fewer than 3 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis Enterprise & Flash instances lacking the redundancy needed to withstand a zone outage. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-11-06 19:40:47 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.0.2-preview > 1.0.2-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-10-31 19:02:40 BuiltIn
Resilience 42f4f3a2-7d20-4c13-a05d-01857a626c22 [Preview]: Virtual Machines should be Zone Aligned Virtual Machines can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-10-31 19:02:40 BuiltIn
Synapse c3624673-d2ff-48e0-b28c-5de1c6767c3c Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-10-31 19:02:40 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Resilience d3903bdf-ab85-4cce-85d3-2934d77629d4 [Preview]: Virtual Machine Scale Sets should be Zone Resilient Virtual Machine Scale Sets can be configured to be either Zone Aligned, Zone Redundant, or neither. Virtual Machine Scale Sets that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Virtual Machine Scale Sets with 3 or more entries in their zones array and a capacity of at least 3 are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-10-31 19:02:40 BuiltIn
Resilience 44c5a1f9-7ef6-4c38-880c-273e8f7a3c24 [Preview]: Cosmos Database Accounts should be Zone Redundant Cosmos Database Accounts can be configured to be Zone Redundant or not. If the 'enableMultipleWriteLocations' is set to 'true' then all locations must have a 'isZoneRedundant' property and it must be set to 'true'. If the 'enableMultipleWriteLocations' is set to 'false' then the primary location ('failoverPriority' set to 0) must have a 'isZoneRedundant' property and it must be set to 'true'. Enforcing this policy ensures Cosmos Database Accounts are appropriately configured for zone redundancy. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-10-31 19:02:40 BuiltIn
Kubernetes 40f1aee2-4db4-4b74-acb1-c6972e24cca8 Configure Node OS Auto upgrade on Azure Kubernetes Cluster Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (1.0.0 > 1.0.1) 2023-10-31 19:02:40 BuiltIn
SQL 78215662-041e-49ed-a9dd-5385911b3a1f Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (4.0.0 > 4.0.1) 2023-10-31 19:02:40 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (2.0.3 > 2.0.4) 2023-10-31 19:02:40 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Synapse 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (1.0.2 > 1.0.3) 2023-10-31 19:02:40 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (5.2.0-preview > 5.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 3b1a8e0a-b2e1-48be-9365-28be2fbef550 [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center aba46665-c3a7-4319-ace1-a0282deebac2 [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
SQL Server 7148a409-0d59-4baa-925b-b3aae486a14e [Preview]: Enable system-assigned identity to SQL VM Enable system-assigned identity at scale to SQL virtual machines. You need to assign this policy at subscription level. Assign at resource group level will not work as expected. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
add
 new Policy 2023-10-31 19:02:40 BuiltIn
Kubernetes 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-10-31 19:02:40 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-10-31 19:02:40 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) 2023-10-31 19:02:40 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated) 2023-10-31 19:02:40 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (1.0.2 > 1.0.3) 2023-10-31 19:02:40 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) 2023-10-31 19:02:40 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-10-31 19:02:40 BuiltIn
Security Center c15c5978-ab6e-4599-a1c3-90a7918f5371 [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated) 2023-10-31 19:02:40 BuiltIn
SQL abda6d70-9778-44e7-84a8-06713e6db027 Azure SQL Database should have Microsoft Entra-only authentication enabled during creation Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-10-31 19:02:40 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-10-31 19:02:40 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (1.0.0 > 1.0.2) 2023-10-23 17:41:36 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (1.0.1 > 1.0.2) 2023-10-23 17:41:36 BuiltIn
Kubernetes 450d2877-ebea-41e8-b00c-e286317d21bf Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.1 > 1.0.2) 2023-10-23 17:41:36 BuiltIn
Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.1.0 > 2.2.0) 2023-10-23 17:41:36 BuiltIn
General 78460a36-508a-49a4-b2b2-2f5ec564f4bb Do not allow deletion of resource types This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Default
DenyAction
Allowed
DenyAction, Disabled
add
 new Policy 2023-10-23 17:41:36 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch, suffix remains equal (1.0.1-preview > 1.0.3-preview) 2023-10-23 17:41:36 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (2.0.1 > 2.0.3) 2023-10-23 17:41:36 BuiltIn
Guest Configuration 828ba269-bf7f-4082-83dd-633417bc391d Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2023-10-16 18:01:34 BuiltIn
Internet of Things 43c323f6-0329-4f7c-a19a-6e5a5690d042 Azure Device Update accounts should use customer-managed key to encrypt data at rest Encryption of data at rest in Azure Device Update with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Learn more at:https://learn.microsoft.com/azure/iot-hub-device-update/device-update-data-encryption. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-10-16 18:01:34 BuiltIn
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (4.1.0 > 4.1.1) 2023-10-16 18:01:34 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-10-16 18:01:34 BuiltIn
Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Patch (1.0.2 > 1.0.3) 2023-10-09 18:04:57 BuiltIn
Network Audit-PrivateLinkDnsZones Audit or Deny the creation of Private Link Private DNS Zones This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-10-05 18:01:59 ALZ
App Configuration 72bc14af-4ab8-43af-b4e4-38e7983f9a1f Configure App Configuration stores to disable local authentication methods Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2023-09-27 17:59:47 BuiltIn
Monitoring DenyAction-DiagnosticLogs DenyAction implementation on Diagnostic Logs. DenyAction implementation on Diagnostic Logs. Fixed
denyAction
add
 new Policy 2023-09-27 17:59:47 ALZ
SQL Deploy-SQL-minTLS SQL servers deploys a specific min TLS version requirement. Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Server Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-09-27 17:59:47 ALZ
SQL Deploy-SqlMi-minTLS SQL managed instances deploy a specific min TLS version requirement. Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Managed Instance Contributor
change
 Minor (1.0.0 > 1.2.0) 2023-09-27 17:59:47 ALZ
Monitoring DenyAction-ActivityLogs DenyAction implementation on Activity Logs This is a DenyAction implementation policy on Activity Logs. Fixed
denyAction
add
 new Policy 2023-09-27 17:59:47 ALZ
Storage Deploy-Storage-sslEnforcement Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Storage Account Contributor
change
 Minor (1.1.0 > 1.2.0) 2023-09-27 17:59:47 ALZ
SQL Deploy-MySQL-sslEnforcement Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-09-27 17:59:47 ALZ
Container Registry 84497762-32b6-4ab3-80b6-732ea48b85a2 Container registries should prevent cache rule creation Disable cache rule creation for your Azure Container Registry to prevent pull through cache pulls. Learn more at: https://aka.ms/acr/cache. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-09-27 17:59:47 BuiltIn
SQL Deploy-PostgreSQL-sslEnforcement Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-09-27 17:59:47 ALZ
App Configuration b08ab3ca-1062-4db3-8803-eec9cae605d6 App Configuration stores should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-09-27 17:59:47 BuiltIn
Monitoring Deploy-Diagnostics-CosmosDB [Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.0 > 1.2.0) 2023-09-27 17:59:47 ALZ
Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Patch (1.0.1 > 1.0.2) 2023-09-22 17:59:46 BuiltIn
App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service app slots to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
Managed Identity fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f [Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners This policy limits federation with GitHub repos to only approved repository owners. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-22 17:59:46 BuiltIn
App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
Kubernetes 40f1aee2-4db4-4b74-acb1-c6972e24cca8 Configure Node OS Auto upgrade on Azure Kubernetes Cluster Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
 new Policy 2023-09-22 17:59:46 BuiltIn
App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.2 > 1.0.3) 2023-09-22 17:59:46 BuiltIn
Kubernetes 04408ca5-aa10-42ce-8536-98955cdddd4c Azure Kubernetes Service Clusters should enable node os auto-upgrade AKS node OS auto-upgrade controls node-level OS security updates. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-09-22 17:59:46 BuiltIn
App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.3 > 1.0.4) 2023-09-22 17:59:46 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (3.4.0-preview > 3.4.1) 2023-09-18 18:02:04 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, old suffix: preview (3.9.0-preview > 3.9.1) 2023-09-18 18:02:04 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Azure Connected Machine Resource Administrator
change
 Patch, old suffix: preview (2.2.0-preview > 2.2.1) 2023-09-18 18:02:04 BuiltIn
Kubernetes af3c26b2-6fad-493e-9236-9c68928516ab Azure Kubernetes Service Clusters should enable Image Cleaner Image Cleaner performs automatic vulnerable, unused image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up. Learn more at: https://aka.ms/aks/image-cleaner. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-09-18 18:02:04 BuiltIn
Kubernetes 7e49285c-4bed-4564-b26a-5225ccc311f3 Deploy Image Cleaner on Azure Kubernetes Service Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
 new Policy 2023-09-18 18:02:04 BuiltIn
Media Services daccf7e4-9808-470c-a848-1c5b582a1afb [Deprecated]: Azure Media Services content key policies should use token authentication This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-09-18 18:02:04 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Patch, old suffix: preview (4.4.0-preview > 4.4.1) 2023-09-18 18:02:04 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (3.8.0-preview > 3.9.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 84cfed75-dfd4-421b-93df-725b479d356a Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-09-11 17:59:12 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 08a4470f-b26d-428d-97f4-7e3e9c92b366 Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch, old suffix: preview (1.1.1-preview > 1.1.2) 2023-09-11 17:59:12 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
BuiltInPolicyTest 36fd7371-8eb7-4321-9c30-a7100022d048 Requires resources to not have a specific tag. This is a versioning test built-in. Denies the creation of a resource that contains the given tag. Does not apply to resource groups. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-09-11 17:59:12 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch, old suffix: preview (3.1.0-preview > 3.1.1) 2023-09-11 17:59:12 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Minor, suffix remains equal (4.3.0-preview > 4.4.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch, old suffix: preview (1.2.1-preview > 1.2.2) 2023-09-11 17:59:12 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2023-09-11 17:59:12 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch, old suffix: preview (3.1.0-preview > 3.1.1) 2023-09-11 17:59:12 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview) 2023-09-11 17:59:12 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-09-11 17:59:12 BuiltIn
Data Factory f78ccdb4-7bf4-4106-8647-270491d2978a Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-09-01 18:00:13 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview) 2023-09-01 18:00:13 BuiltIn
Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Minor (2.0.0 > 2.1.0) 2023-09-01 18:00:13 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Minor (1.0.2 > 1.1.0) 2023-09-01 18:00:13 BuiltIn
Internet of Things 383856f8-de7f-44a2-81fc-e5135b5c2aa4 Resource logs in IoT Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.1 > 3.1.0) 2023-09-01 18:00:13 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview) 2023-09-01 18:00:13 BuiltIn
Kubernetes 5dc99dae-cfb2-42cc-8762-9aae02b74e27 [Preview]: Deploy Image Integrity on Azure Kubernetes Service Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
 new Policy 2023-09-01 18:00:13 BuiltIn
Key Vault a2a5b911-5617-447e-a49e-59dbe0e0434b Resource logs in Azure Key Vault Managed HSM should be enabled To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-09-01 18:00:13 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) 2023-08-28 18:00:34 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2023-08-28 18:00:34 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.2.0 > 3.3.0) 2023-08-28 18:00:34 BuiltIn
Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-08-28 18:00:34 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.3.0 > 3.4.0) 2023-08-28 18:00:34 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.3.0 > 3.4.0) 2023-08-28 18:00:34 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.2.0 > 3.3.0) 2023-08-28 18:00:34 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview) 2023-08-28 18:00:34 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) 2023-08-28 18:00:34 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Automanage f889cab7-da27-4c41-a3b0-de1f6f87c550 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (2.3.0 > 2.4.0) 2023-08-22 17:59:24 BuiltIn
Security Center feedbf84-6b99-488c-acc2-71c829aa5ffc SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (4.0.0 > 4.1.0) 2023-08-22 17:59:24 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Kubernetes cf426bb8-b320-4321-8545-1b784a5df3a4 [Image Integrity] Kubernetes clusters should only use images signed by notation Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Security Center cbdd12e1-193a-445c-9926-560118c6daaa Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2023-08-22 17:59:24 BuiltIn
Automanage b025cfb4-3702-47c2-9110-87fe0cfcc99b Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.3.0 > 1.4.0) 2023-08-22 17:59:24 BuiltIn
Monitoring c7f3bf36-b807-4f18-82dc-f480ad713635 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) 2023-08-11 17:58:20 BuiltIn
Monitoring a0f27bdc-5b15-4810-b81d-7c4df9df1a37 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) 2023-08-11 17:58:20 BuiltIn
Security Center 640d2586-54d2-465f-877f-9ffc1d2109f4 Microsoft Defender for Storage should be enabled Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-08-11 17:58:20 BuiltIn
Security Center 689f7782-ef2c-4270-a6d0-7664869076bd Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Patch (1.0.1 > 1.0.2) 2023-08-11 17:58:20 BuiltIn
Security Center ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.2 > 1.0.3) 2023-08-11 17:58:20 BuiltIn
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
change
 Patch (1.0.2 > 1.0.3) 2023-08-11 17:58:20 BuiltIn
Monitoring 7c4214e9-ea57-487a-b38e-310ec09bc21d [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview) 2023-08-11 17:58:20 BuiltIn
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2023-08-03 17:56:09 BuiltIn
App Service 2374605e-3e0b-492b-9046-229af202562c Configure App Service apps to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
Kubernetes 2cc2e023-0dac-4046-875b-178f683929d5 Azure Kubernetes Service Clusters should enable workload identity Workload identity allows to assign a unique identity to each Kubernetes Pod and associate it with Azure AD protected resources such as Azure Key Vault, enabling secure access to these resources from within the Pod. Learn more at: https://aka.ms/aks/wi. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-08-03 17:56:09 BuiltIn
General 335d919a-dc24-4a94-b7cb-9f81b1a8156f Do Not Allow MCPP resources Block creation of MCPP resources. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-08-03 17:56:09 BuiltIn
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (4.0.0 > 4.1.0) 2023-08-03 17:56:09 BuiltIn
Kubernetes e1352e44-d34d-4e4d-a22e-451a15f759a1 Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://aka.ms/aks/planned-maintenance Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-08-03 17:56:09 BuiltIn
Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (4.0.0 > 4.1.0) 2023-08-03 17:56:09 BuiltIn
App Service c6c3e00e-d414-4ca4-914f-406699bb8eee Configure App Service app slots to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
Security Center 3ac7c827-eea2-4bde-acc7-9568cd320efa Machines should have secret findings resolved Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.1 > 1.0.2) 2023-08-03 17:56:09 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.1.0 > 3.2.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-08-03 17:56:09 BuiltIn
General 176b7c36-ac64-4f15-a296-50bd7fafab12 Do Not Allow M365 resources Block creation of M365 resources. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-08-03 17:56:09 BuiltIn
Guest Configuration 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 [Preview]: Linux machines should meet STIG compliance requirement for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Network 2d21331d-a4c2-4def-a9ad-ee4e1e023beb App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.0 > 2.0.1) 2023-08-03 17:56:09 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.2.0 > 3.3.0) 2023-08-03 17:56:09 BuiltIn
Security Center c8acafaf-3d23-44d1-9624-978ef0f8652c API endpoints that are unused should be disabled and removed from the Azure API Management service As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-08-03 17:56:09 BuiltIn
App Service cd794351-e536-40f4-9750-503a463d8cad Configure Function apps to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (3.4.0-preview > 3.8.0-preview) 2023-08-03 17:56:09 BuiltIn
Guest Configuration e79ffbda-ff85-465d-ab8e-7e58a557660f [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Container Instance 41ebf9df-66cb-48e9-a8d0-98afb4e150ce Configure diagnostic settings for container groups to Log Analytics workspace Deploys the diagnostic settings for Container Instance to stream resource logs to a Log Analytics workspace when any container instance which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2023-08-03 17:56:09 BuiltIn
Guest Configuration fad40cac-a972-4db0-b204-f1b15cced89a Local authentication methods should be disabled on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (3.1.0-preview > 3.3.0-preview) 2023-08-03 17:56:09 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.2.0 > 3.3.0) 2023-08-03 17:56:09 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.1.0 > 3.2.0) 2023-08-03 17:56:09 BuiltIn
Security Center 8ac833bd-f505-48d5-887e-c993a1d3eea0 API endpoints in Azure API Management should be authenticated API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-08-03 17:56:09 BuiltIn
Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-08-03 17:56:09 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-08-03 17:56:09 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Minor, suffix remains equal (4.0.0-preview > 4.3.0-preview) 2023-08-03 17:56:09 BuiltIn
Guest Configuration 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-08-03 17:56:09 BuiltIn
General 16fabb5c-7379-4433-8009-042066fa3a16 Exclude Usage Costs Resources This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-08-03 17:56:09 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.2.0-preview) 2023-08-03 17:56:09 BuiltIn
App Service 242222f3-4985-4e99-b5ef-086d6a6cb01c Configure Function app slots to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Operator
Network Contributor
Website Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-08-03 17:56:09 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (3.6.0-preview > 3.4.0-preview) 2023-07-25 17:56:05 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Minor, suffix remains equal (4.1.0-preview > 4.0.0-preview) 2023-07-25 17:56:05 BuiltIn
Cost Optimization Audit-AzureHybridBenefit Audit AHUB for eligible VMs Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-07-25 17:56:05 ALZ
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Guest Configuration 480d0f91-30af-4a76-9afb-f5710ac52b09 Private endpoints for Guest Configuration assignments should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-07-24 17:56:14 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-07-24 17:56:14 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) 2023-07-24 17:56:14 BuiltIn
Security Center 766e621d-ba95-4e43-a6f2-e945db3d7888 Setup subscriptions to transition to an alternative vulnerability assessment solution Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2023-07-24 17:56:14 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (3.5.0-preview > 3.6.0-preview) 2023-07-24 17:56:14 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-07-24 17:56:14 BuiltIn
Backup d6f6f560-14b7-49a4-9fc8-d2c3a9807868 [Preview]: Immutability must be enabled for Recovery Services vaults This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-07-24 17:56:14 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.3.0 > 1.4.0) 2023-07-14 17:56:09 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (3.0.0 > 3.1.0) 2023-07-14 17:56:09 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.1.0 > 3.2.0) 2023-07-14 17:56:09 BuiltIn
Compute c3921d55-b741-4d16-8d56-7f16e99e6892 Protect your data with authentication requirements when exporting or uploading to a disk or snapshot. When export/upload URL is used, the system checks if the user has an identity in Azure Active Directory and has necessary permissions to export/upload the data. Please refer to aka.ms/DisksAzureADAuth. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2023-07-14 17:56:09 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.3.0 > 1.4.0) 2023-07-14 17:56:09 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.1.0 > 4.2.0) 2023-07-14 17:56:09 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (3.0.0 > 3.1.0) 2023-07-14 17:56:09 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.1.0 > 3.2.0) 2023-07-14 17:56:09 BuiltIn
SQL Managed Instance 6599ab01-29bc-4852-a6f5-de9e2151714a Transparent Data Encryption must be enabled for Arc SQL managed instances. Enable transparent data encryption (TDE) at-rest on an Azure Arc-enabled SQL Managed Instance. Learn more at https://aka.ms/EnableTDEArcSQLMI. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-07-10 18:02:26 BuiltIn
SQL Managed Instance bb3c7464-033e-41ee-81dc-480fde675b20 TLS protocol 1.2 must be used for Arc SQL managed instances. As a part of network settings, Microsoft recommends allowing only TLS 1.2 for TLS protocols in SQL Servers. Learn more on network settings for SQL Server at https://aka.ms/TlsSettingsSQLServer. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-07-10 18:02:26 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) 2023-07-10 18:02:26 BuiltIn
SQL Managed Instance 413923f0-ff16-41ae-8583-90c5c5d9fa8f Customer managed key encryption must be used as part of CMK Encryption for Arc SQL managed instances. As a part of CMK encryption, Customer managed key encryption must be used. Learn more at https://aka.ms/EnableTDEArcSQLMI. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-07-10 18:02:26 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Patch (1.0.1 > 1.0.2) 2023-07-10 18:02:26 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview) 2023-07-10 18:02:26 BuiltIn
Storage c36a325b-ae04-4863-ad4f-19c6678f8e08 Configure your Storage account to enable blob versioning You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-07-10 18:02:26 BuiltIn
Storage 978deb5d-c9a7-41f8-b4b2-b76880d0de1f Modify - Configure your Storage account to enable blob versioning You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Please note existing storage accounts will not be modified to enable Blob storage versioning. Only newly created storage accounts will have Blob storage versioning enabled Default
Modify
Allowed
Modify, Disabled 		count: 001
Storage Account Contributor
add
 new Policy 2023-07-10 18:02:26 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (3.4.0-preview > 3.5.0-preview) 2023-07-10 18:02:26 BuiltIn
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. Default
Deny
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.0 > 2.1.0)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)		 2023-07-07 17:55:09 ALZ
SQL Deploy-Sql-vulnerabilityAssessments [Deprecated]: Deploy SQL Database vulnerability Assessments Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 003
Monitoring Contributor
SQL Security Manager
Storage Account Contributor
change
 Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated)

Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ		 2023-07-07 17:55:09 ALZ
SQL Deploy-Sql-vulnerabilityAssessments_20230706 Deploy SQL Database Vulnerability Assessments Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 003
Monitoring Contributor
SQL Security Manager
Storage Account Contributor
add
 new Policy

Replaces: [Deprecated]: Deploy SQL Database vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments)		 2023-07-07 17:55:09 ALZ
Security Center 3ac7c827-eea2-4bde-acc7-9568cd320efa Machines should have secret findings resolved Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-07-03 17:55:16 BuiltIn
Backup f19b0c83-716f-4b81-85e3-2dbf057c35d6 [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. Default
Modify
Allowed
Modify, Disabled 		count: 001
Backup Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-07-03 17:55:16 BuiltIn
Backup 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda [Preview]: Disable Cross Subscription Restore for Backup Vaults Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. Default
Modify
Allowed
Modify, Disabled 		count: 001
Backup Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-07-03 17:55:16 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.1.0 > 6.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.1.0 > 7.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.1.0 > 5.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.1.0 > 6.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.1.0 > 7.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (8.1.0 > 8.1.1) 2023-06-26 17:52:13 BuiltIn
Security Center 3ac7c827-eea2-4bde-acc7-9568cd320efa Machines should have secret findings resolved Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-06-26 17:52:13 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.1.0 > 6.1.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.1.0 > 5.1.1) 2023-06-26 17:52:13 BuiltIn
Automanage 270610db-8c04-438a-a739-e8e6745b22d3 [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (4.1.1-deprecated > 4.2.1-deprecated) 2023-06-26 17:52:13 BuiltIn
Data Factory 77d40665-3120-4348-b539-3192ec808307 Azure Data Factory should use a Git repository for source control Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-06-26 17:52:13 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.1.0 > 7.1.1) 2023-06-26 17:52:13 BuiltIn
Data Factory 6809a3d0-d354-42fb-b955-783d207c62a8 Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-06-26 17:52:13 BuiltIn
App Platform af35e2a4-ef96-44e7-a9ae-853dd97032c4 Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Minor (1.1.0 > 1.2.0) 2023-06-26 17:52:13 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (4.0.0 > 4.0.1) 2023-06-26 17:52:13 BuiltIn
Key Vault d8cf8476-a2ec-4916-896e-992351803c44 Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-06-26 17:52:13 BuiltIn
Storage Deny-Storage-SFTP Storage Accounts with SFTP enabled should be denied This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-FileServices-InsecureKerberos File Services with insecure Kerberos ticket encryption should be denied This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-StorageAccount-CustomDomain Storage Accounts with custom domains assigned should be denied This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-06-20 20:17:42 ALZ
Machine Learning Deny-MachineLearning-PublicNetworkAccess [Deprecated] Azure Machine Learning should have disabled public network access Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html Default
Deny
Allowed
Audit, Disabled, Deny
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Azure Machine Learning Workspaces should disable public network access (438c38d2-3772-465a-a9cc-7a6666a275ce) BuiltIn		 2023-06-20 20:17:42 ALZ
Storage Deny-FileServices-InsecureAuth File Services with insecure authentication methods should be denied This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-FileServices-InsecureSmbChannel File Services with insecure SMB channel encryption should be denied This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-06-20 20:17:42 ALZ
Storage Deny-FileServices-InsecureSmbVersions File Services with insecure SMB versions should be denied This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-06-20 20:17:42 ALZ
SQL Deny-PublicEndpoint-MariaDB [Deprecated] Public network access should be disabled for MariaDB This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html Default
Deny
Allowed
Audit, Deny, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077) BuiltIn		 2023-06-20 20:17:42 ALZ
Network Deny-Subnet-Without-Penp Subnets without Private Endpoint Network Policies enabled should be denied This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-06-20 20:17:42 ALZ
Network Deny-UDR-With-Specific-NextHop User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-06-20 20:17:42 ALZ
Logic Apps 34f95f76-5386-4de7-b824-0d8478470c9d Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (5.0.0 > 5.1.0) 2023-06-16 17:46:02 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-06-16 17:46:02 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview) 2023-06-16 17:46:02 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview) 2023-06-16 17:46:02 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-06-16 17:46:02 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-06-16 17:46:02 BuiltIn
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (4.0.1 > 4.1.0) 2023-06-09 17:46:13 BuiltIn
App Service 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba App Service apps should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Minor (1.0.0 > 1.1.0) 2023-06-09 17:46:13 BuiltIn
App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service app slots to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
Guest Configuration faf25c8c-9598-4305-b4de-0aee1317fb31 [Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.0.0-deprecated > 1.1.0-deprecated) 2023-06-09 17:46:13 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.1.0-deprecated) 2023-06-09 17:46:13 BuiltIn
Security Center ae89ebca-1c92-4898-ac2c-9f63decb045c Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.2 > 1.0.3) 2023-06-09 17:46:13 BuiltIn
App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.1 > 1.0.2) 2023-06-09 17:46:13 BuiltIn
App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.2 > 1.0.3) 2023-06-09 17:46:13 BuiltIn
Security Center 808a7dc4-49f2-4e7b-af75-d14e561c244a [Deprecated]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Backup 4d479a11-f2b5-4f0a-bb1e-d2332aa95cda [Preview]: Disable Cross Subscription Restore for Backup Vaults Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange. Default
Modify
Allowed
Modify, Disabled 		count: 001
Backup Contributor
add
 new Policy 2023-06-06 18:29:21 BuiltIn
Security Center 13a6c84f-49a5-410a-b5df-5b880c3fe009 [Preview]: Linux virtual machines should use only signed and trusted boot components All OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-06-06 18:29:21 BuiltIn
Backup f19b0c83-716f-4b81-85e3-2dbf057c35d6 [Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements. Default
Modify
Allowed
Modify, Disabled 		count: 001
Backup Contributor
add
 new Policy 2023-06-06 18:29:21 BuiltIn
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 [Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day This policy is deprecated because Microsoft 365 App Compliance Program no longer checks schedule frequency on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.1.0 > 1.2.0) 2023-06-06 18:29:21 BuiltIn
Security Center 1537496a-b1e8-482b-a06a-1cc2415cdc7b [Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Security Center e16f967a-aa57-4f5e-89cd-8d1434d0a29a [Deprecated]: Azure Security agent should be installed on your Windows virtual machine scale sets Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Security Center bb2c6c6d-14bc-4443-bef3-c6be0adc6076 [Deprecated]: Azure Security agent should be installed on your Windows virtual machines Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-06-06 18:29:21 BuiltIn
Monitoring Deploy-Diagnostics-Firewall [Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.0 > 1.2.0) 2023-05-30 30:17:42 ALZ
Azure Databricks 09210db3-d32c-4b2b-b4e1-f72ae920eb11 Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.0.1 > 1.0.2) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.1 > 1.0.2) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 0eddd7f3-3d9b-4927-a07a-806e8ac9486c Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Patch (1.0.0 > 1.0.1) 2023-05-26 17:43:09 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Patch (4.0.3 > 4.0.4) 2023-05-26 17:43:09 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.2.0 > 3.3.0) 2023-05-26 17:43:09 BuiltIn
Security Center f1525828-9a90-4fcf-be48-268cdd02361e Deploy Workflow Automation for Microsoft Defender for Cloud alerts Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Patch (5.0.0 > 5.0.1) 2023-05-26 17:43:09 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (4.2.0 > 4.3.0) 2023-05-26 17:43:09 BuiltIn
Cosmos DB 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-05-26 17:43:09 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.2.0 > 1.3.0) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.1 > 1.0.2) 2023-05-26 17:43:09 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.2.0 > 1.3.0) 2023-05-26 17:43:09 BuiltIn
Security Center 73d6ab6c-2475-4850-afd6-43795f3492ef Deploy Workflow Automation for Microsoft Defender for Cloud recommendations Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Patch (5.0.0 > 5.0.1) 2023-05-26 17:43:09 BuiltIn
Security Center 509122b9-ddd9-47ba-a5f1-d0dac20be63c Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Patch (5.0.0 > 5.0.1) 2023-05-26 17:43:09 BuiltIn
Azure Databricks 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-05-26 17:43:09 BuiltIn
Cosmos DB dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 Configure Cosmos DB database accounts to disable local authentication Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default
Modify
Allowed
Modify, Disabled 		count: 001
DocumentDB Account Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-05-26 17:43:09 BuiltIn
Monitoring Deploy-Diagnostics-APIMgmt [Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.0 > 1.2.0) 2023-05-22 22:17:43 ALZ
App Service Append-AppService-latestTLS AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. Default
Append
Allowed
Append, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-05-22 22:17:43 ALZ
Machine Learning 438c38d2-3772-465a-a9cc-7a6666a275ce Azure Machine Learning Workspaces should disable public network access Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.0.0 > 2.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
App Service 70adbb40-e092-42d5-a6f8-71c540a5efdb Configure Function app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-05-22 17:43:18 BuiltIn
Data Factory 3d02a511-74e5-4dab-a5fd-878704d4a61a [Preview]: Azure Data Factory pipelines should only communicate with allowed domains To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Deny
Allowed
Deny, Disabled
add
 new Policy 2023-05-22 17:43:18 BuiltIn
Azure Databricks 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
App Service cca5adfe-626b-4cc6-8522-f5b6ed2391bd Configure App Service app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-05-22 17:43:18 BuiltIn
Machine Learning f59276f0-5740-4aaf-821d-45d185aa210e Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning afe0c3be-ba3b-4544-ba52-0c99672a8ad6 Resource logs in Azure Machine Learning Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
change
 Patch (1.0.1 > 1.0.2) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 Azure Databricks Workspaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Security Center 090c7b07-b4ed-4561-ad20-e9075f3ccaff Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-05-22 17:43:18 BuiltIn
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.0.0 > 2.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Patch (2.0.0 > 2.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 51c1490f-3319-459c-bbbc-7f391bbed753 Azure Databricks Clusters should disable public IP Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Security Center a1181c5f-672a-477a-979a-7d58aa086233 Security Center standard pricing tier should be selected The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center Default
Audit
Allowed
Audit, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 09210db3-d32c-4b2b-b4e1-f72ae920eb11 Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 138ff14d-b687-4faa-a81c-898c91a87fa2 Resource logs in Azure Databricks Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Machine Learning 7804b5c7-01dc-4723-969b-ae300cc07ff1 Azure Machine Learning Computes should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Azure Databricks 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2023-05-22 17:43:18 BuiltIn
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. Default
Deny
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)		 2023-05-17 17:17:42 ALZ
SQL e27a6dfc-883f-4f9e-97cc-a819fe702400 [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2023-05-16 17:42:35 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.1 > 1.0.2) 2023-05-16 17:42:35 BuiltIn
Azure Data Explorer 8945ba5e-918e-4a57-8117-fe615d12e3ba All Database Admin on Azure Data Explorer should be disabled Disable all database admin role to restrict granting highly privileged/administrative user role. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-05-16 17:42:35 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) 2023-05-12 17:41:51 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview) 2023-05-12 17:41:51 BuiltIn
Data Factory 496ca26b-f669-4322-a1ad-06b7b5e41882 Configure private endpoints for Data factories Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Data Factory Contributor
Network Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-05-12 17:41:51 BuiltIn
Security Center 17f4b1cc-c55c-4d94-b1f9-2978f6ac2957 Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-05-12 17:41:51 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-05-05 17:42:17 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-05-05 17:42:17 BuiltIn
SQL Server f36de009-cacb-47b3-b936-9c4c9120d064 Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2023-05-05 17:42:17 BuiltIn
Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed
deployIfNotExists 		count: 001
Guest Configuration Resource Contributor
change
 Minor (2.0.0 > 2.1.0) 2023-05-05 17:42:17 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-05-05 17:42:17 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-05-05 17:42:17 BuiltIn
SQL 40e85574-ef33-47e8-a854-7a65c7500560 Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-05-01 17:41:52 BuiltIn
App Service 496223c3-ad65-4ecd-878a-bae78737e9ed App Service apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 9297c21d-2ed6-4474-b48f-163f75654ce3 [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (3.0.1 > 3.0.1-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 829b40f3-d3db-4fd2-be46-76663d3aeeb2 Function app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-05-01 17:41:52 BuiltIn
App Service f466b2a6-823d-470d-8ea5-b031e72d79ae App Service app slots that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-05-01 17:41:52 BuiltIn
App Service 7008174a-fd10-4ef0-817e-fc820a951d73 App Service apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (4.0.0 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222 Configure Azure Defender for servers to be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes 5485eac0-7e8f-4964-998b-a44f4f0c1e75 Kubernetes cluster Windows containers should not run as ContainerAdministrator Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center b99b73e7-074b-4089-9395-b7236f094491 Configure Azure Defender for Azure SQL database to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center ebb62a0c-3560-49e1-89ed-27e074e9f8ad [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 0cfea604-3201-4e14-88fc-fae4c427a6c5. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Security Center b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center f8456c1c-aa66-4dfb-861a-25d127b775c9 [Deprecated]: External accounts with owner permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 339353f6-2387-4a45-abe4-7f529d121046. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.0.1 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 7238174a-fd10-4ef0-817e-fc820a951d73 Function apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (4.0.0 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 5c607a2e-c700-4744-8254-d77e7c9eb5e4 [Deprecated]: External accounts with write permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 94e1c2ac-cbbe-4cac-a2b5-389c812dee87. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Patch (4.0.2 > 4.0.3) 2023-05-01 17:41:52 BuiltIn
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
App Service 9c014953-ef68-4a98-82af-fd0f6b2306c8 App Service app slots that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-05-01 17:41:52 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
App Service e1d1b522-02b0-4d18-a04f-5ab62d20445f Function app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-05-01 17:41:52 BuiltIn
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled or public network access disabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs or disable public network access for your key vault so that it's not accessible over the public internet. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security and https://aka.ms/akvprivatelink Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.1.1 > 3.2.1) 2023-05-01 17:41:52 BuiltIn
App Service 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc Function apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center aa633080-8b72-40c4-a2d7-d00c03e80bed [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e3e008c3-56b9-4133-8fd7-d3347377402a. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 50ea7265-7d8c-429e-9a7d-ca1f410191c3 Configure Azure Defender for SQL servers on machines to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (2.1.1-preview > 2.2.0-preview) 2023-05-01 17:41:52 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.0.1 > 4.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
 Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Monitoring 04d53d87-841c-4f23-8a5b-21564380b55e Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (2.0.0 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center e3576e28-8b17-4677-84c3-db2990658d64 [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center c9ddb292-b203-4738-aead-18e2716e858f Configure Microsoft Defender for Containers to be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
App Service 46dad49f-8945-44d7-9bb1-2e1542f627d3 App Service app slots that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-05-01 17:41:52 BuiltIn
Security Center 6b1cbf55-e8b6-442f-ba4c-7246b6381474 [Deprecated]: Deprecated accounts should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.1.0 > 3.2.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (9.0.1 > 9.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 1f725891-01c0-420a-9059-4fa46cb770b7 Configure Microsoft Defender for Key Vault plan Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
Security Center 5f76cf89-fbf2-47fd-a3f4-b891fa780b60 [Deprecated]: External accounts with read permissions should be removed from your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e9ac8f8e-ce22-4355-8f04-99b911d6be52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2023-05-01 17:41:52 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (9.0.1 > 9.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.0.1 > 3.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) 2023-05-01 17:41:52 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (8.0.1 > 8.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.1 > 2.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (9.0.1 > 9.1.0) 2023-05-01 17:41:52 BuiltIn
SQL e27a6dfc-883f-4f9e-97cc-a819fe702400 [Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-05-01 17:41:52 BuiltIn
Security Center 74c30959-af11-47b3-9ed2-a26e03f427a3 [Deprecated]: Configure Microsoft Defender for Storage (Classic) to be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts - please note that deprecation is for commercial cloud only. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
API Management ffe25541-3853-4f4e-b71d-064422294b11 API Management should have username and password authentication disabled To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.0.1 > 7.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.1 > 6.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 689f7782-ef2c-4270-a6d0-7664869076bd Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Patch (1.0.0 > 1.0.1) 2023-05-01 17:41:52 BuiltIn
App Service 014664e7-e348-41a3-aeb9-566e4ff6a9df Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-05-01 17:41:52 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.0.1 > 5.1.0) 2023-05-01 17:41:52 BuiltIn
App Service fa3a6357-c6d6-4120-8429-855577ec0063 Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-05-01 17:41:52 BuiltIn
Security Center 2370a3c1-4a25-4283-a91a-c9c1a145fb2f [Deprecated]: Configure Azure Defender for DNS to be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.1 > 1.0.2) 2023-05-01 17:41:52 BuiltIn
Cache Append-Redis-disableNonSslPort Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
Append
Allowed
Append, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-04-25 25:17:42 ALZ
Security Center cdfcce10-4578-4ecd-9703-530938e4abcb Deploy export to Event Hub for Microsoft Defender for Cloud data Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (4.1.0 > 4.2.0) 2023-04-25 17:42:14 BuiltIn
Guest Configuration 5b054a0d-39e2-4d53-bea3-9734cad2c69b Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
Security Center af9f6c70-eb74-4189-8d15-e4f11a7ebfd4 Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-04-25 17:42:14 BuiltIn
Guest Configuration a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Audit Windows machines that do not restrict the minimum password length to specified number of characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
Guest Configuration 237b38db-ca4d-4259-9e47-7882441ca2c0 Audit Windows machines that do not have the minimum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
Guest Configuration 4ceb8dc2-559c-478b-a15b-733fbf1e3738 Audit Windows machines that do not have the maximum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-04-25 17:42:14 BuiltIn
SQL Server f36de009-cacb-47b3-b936-9c4c9120d064 Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2023-04-17 17:42:20 BuiltIn
Security Center 7926a6d1-b268-4586-8197-e8ae90c877d7 Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2023-04-17 17:42:20 BuiltIn
Managed Grafana 67529aa1-5285-4b1c-8e6f-5ccd861ac98e Configure Azure Managed Grafana workspaces to disable public network access Disable public network access for your Azure Managed Grafana workspace so that it's not accessible over the public internet. This can reduce data leakage risks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2023-04-17 17:42:20 BuiltIn
API Management 1b0d74ac-4b43-4c39-a15f-594385adc38d Modify API Management to disable username and password authentication To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Modify
Allowed
Modify 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-04-17 17:42:20 BuiltIn
API Management ffe25541-3853-4f4e-b71d-064422294b11 API Management should have username and password authentication disabled To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-04-17 17:42:20 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2023-04-17 17:42:20 BuiltIn
SQL Deploy-Sql-Tde [Deprecated] Deploy SQL Database Transparent Data Encryption Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Security Manager
change
 Patch, suffix remains equal (1.1.0-deprecated > 1.1.1-deprecated)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn		 2023-04-17 17:17:42 ALZ
Network Deny-RDP-From-Internet [Deprecated] RDP access from the Internet should be blocked This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html Default
Deny
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated)

Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ		 2023-04-17 17:17:42 ALZ
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled or public network access disabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs or disable public network access for your key vault so that it's not accessible over the public internet. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security and https://aka.ms/akvprivatelink Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (3.1.0 > 3.1.1) 2023-04-11 17:42:55 BuiltIn
Network 4c3c6c5f-0d47-4402-99b8-aa543dd8bcee Audit flow logs configuration for every virtual network Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-04-06 17:42:16 BuiltIn
Managed Identity ae62c456-33de-4dc8-b100-7ce9028a7d99 [Preview]: Managed Identity Federated Credentials from Azure Kubernetes should be from trusted sources This policy limits federeation with Azure Kubernetes clusters to only clusters from approved tenants, approved regions, and a specific exception list of additional clusters. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2023-04-06 17:42:16 BuiltIn
Managed Identity 2571b7c3-3056-4a61-b00a-9bc5232234f5 [Preview]: Managed Identity Federated Credentials should be from allowed issuer types This policy limits whether Managed Identities can use federated credentials, which common issuer types are allowed, and provides a list of allowed issuer exceptions. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-04-06 17:42:16 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
BuiltInPolicyTest 36fd7371-8eb7-4321-9c30-a7100022d048 Requires resources to not have a specific tag. This is a versioning test built-in. Denies the creation of a resource that contains the given tag. Does not apply to resource groups. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-04-06 17:42:16 BuiltIn
SQL 146412e9-005c-472b-9e48-c87b72ac229e A Microsoft Entra administrator should be provisioned for MySQL servers Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network cd6f7aff-2845-4dab-99f2-6d1754a754b0 Deploy a Flow Log resource with target virtual network Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-04-06 17:42:16 BuiltIn
Network 27960feb-a23c-4577-8d36-ef8b5f35e0be All flow log resources should be in enabled state Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-04-06 17:42:16 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.1.0 > 1.2.0) 2023-04-06 17:42:16 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (4.1.0 > 4.2.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network 3e9965dc-cc13-47ca-8259-a4252fd0cf7b Configure virtual network to enable Flow Log and Traffic Analytics Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-04-06 17:42:16 BuiltIn
Network 2f080164-9f4d-497e-9db6-416dc9f7b48a Network Watcher flow logs should have traffic analytics enabled Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-04-06 17:42:16 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor (2.2.0 > 2.3.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled or public network access disabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs or disable public network access for your key vault so that it's not accessible over the public internet. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security and https://aka.ms/akvprivatelink Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.1.0 > 3.2.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Managed Identity fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f [Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners This policy limits federation with GitHub repos to only approved repository owners. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2023-04-06 17:42:16 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.1.0 > 1.2.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor (2.2.0 > 2.3.0) 2023-04-06 17:42:16 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2023-04-06 17:42:16 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-04-06 17:42:16 BuiltIn
Network Audit-PrivateLinkDnsZones Audit or Deny the creation of Private Link Private DNS Zones This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-04-06 06:17:42 ALZ
Cost Optimization Audit-ServerFarms-UnusedResourcesCostOptimization Unused App Service plans driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-04-06 06:17:42 ALZ
Compute Deploy-Vm-autoShutdown Deploy Virtual Machine Auto Shutdown Schedule Deploys an auto shutdown schedule to a virtual machine Fixed
deployIfNotExists 		count: 001
Virtual Machine Contributor
add
 new Policy 2023-04-06 06:17:42 ALZ
Monitoring Deploy-Diagnostics-VWanS2SVPNGW [Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2023-04-06 06:17:42 ALZ
Monitoring Deploy-Diagnostics-EventGridTopic [Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.0 > 1.2.0) 2023-04-06 06:17:42 ALZ
Cost Optimization Audit-PublicIpAddresses-UnusedResourcesCostOptimization Unused Public IP addresses driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-04-06 06:17:42 ALZ
Network Deny-MgmtPorts-From-Internet Management port access from the Internet should be blocked This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)		 2023-04-06 06:17:42 ALZ
Monitoring Deploy-Diagnostics-WVDHostPools [Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.2.0 > 1.3.0) 2023-04-06 06:17:42 ALZ
SQL Deploy-Sql-Tde [Deprecated] Deploy SQL Database Transparent Data Encryption Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Security Manager
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn		 2023-04-06 06:17:42 ALZ
Cost Optimization Audit-Disks-UnusedResourcesCostOptimization Unused Disks driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-04-06 06:17:42 ALZ
Network Deny-RDP-From-Internet [Deprecated] RDP access from the Internet should be blocked This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html Default
Deny
Allowed
Audit, Deny, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ		 2023-04-06 06:17:42 ALZ
API Management b741306c-968e-4b67-b916-5675e5c709f4 API Management direct management endpoint should not be enabled The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (1.0.1 > 1.0.2) 2023-03-31 17:44:15 BuiltIn
Cosmos DB da69ba51-aaf1-41e5-8651-607cd0b37088 Configure CosmosDB accounts to disable public network access Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default
Modify
Allowed
Modify, Disabled 		count: 002
Contributor
DocumentDB Account Contributor
change
 Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
Monitoring cd906338-3453-47ba-9334-2d654bf845af Azure Front Door Standard or Premium (Plus WAF) should have resource logs enabled Enable Resource logs for Azure Front Door Standard or Premium (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-03-31 17:44:15 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Extension for SQL Server Deployment
change
 Minor (3.3.0 > 3.4.0) 2023-03-31 17:44:15 BuiltIn
API Management 1b0d74ac-4b43-4c39-a15f-594385adc38d Modify API Management to disable username and password authentication To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. Default
Modify
Allowed
Modify 		count: 001
Contributor
add
 new Policy 2023-03-31 17:44:15 BuiltIn
Key Vault 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-03-31 17:44:15 BuiltIn
API Management df73bd95-24da-4a4f-96b9-4e8b94b402bd API Management should disable public network access to the service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
Security Center 308fbb08-4ab8-4e67-9b29-592e93fb94fa [Deprecated]: Microsoft Defender for Storage (Classic) should be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.3 > 1.0.4) 2023-03-31 17:44:15 BuiltIn
API Management ef619a2c-cc4d-4d03-b2ba-8c94a834d85b API Management services should use a virtual network Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.1 > 1.0.2) 2023-03-31 17:44:15 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
add
 new Policy 2023-03-31 17:44:15 BuiltIn
Key Vault 405c5871-3e91-4644-8a63-58e19d68ff5b Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-03-31 17:44:15 BuiltIn
Network 882e19a6-996f-400e-a30f-c090887254f4 Migrate WAF from WAF Config to WAF Policy on Application Gateway If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-03-31 17:44:15 BuiltIn
Storage 361c2074-3595-4e5d-8cab-4f21dffc835c [Deprecated]: Deploy Defender for Storage (Classic) on storage accounts This policy enables Defender for Storage (Classic) on storage accounts - This policy is deprecated. New enablements of the classic plan are no longer supported, effective February 5, 2025. Existing subscriptions and storage accounts already enabled with the classic plan can continue to use it. For more details, please refer to https://aka.ms/DF-Storage/NewPlanMigration. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
Security Center 17bc14a7-92e1-4551-8b8c-80f36953e166 Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) Microsoft Defender for Storage provides Azure-native threat detection for storage accounts. This policy enables basic features (Activity Monitoring). For full protection, including Malware Scanning and Sensitive Data Discovery, use aka.ms/DFStoragePolicy. Major version update: PerTransaction is no longer supported for new enablements after Feb 5, 2025. Existing accounts using it remain supported. Learn more: aka.ms/DF-Storage/NewPlanMigration. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2023-03-31 17:44:15 BuiltIn
Network 4598f028-de1f-4694-8751-84dceb5f86b9 Azure Web Application Firewall on Azure Front Door should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-03-31 17:44:15 BuiltIn
Network ca85ef9a-741d-461d-8b7a-18c2da82c666 Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-03-31 17:44:15 BuiltIn
Network e52e8487-4a97-48ac-b3e6-1c3cef45d298 Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-03-31 17:44:15 BuiltIn
API Management 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 Configure API Management services to disable access to API Management public service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
API Management Service Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-31 17:44:15 BuiltIn
Security Center 74c30959-af11-47b3-9ed2-a26e03f427a3 [Deprecated]: Configure Microsoft Defender for Storage (Classic) to be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts - please note that deprecation is for commercial cloud only. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2023-03-31 17:44:15 BuiltIn
Monitoring 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring e7c86682-34c1-488a-9aab-9cb279207992 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 480851ae-9ff3-49d1-904c-b5bd6f83f1ec Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 0eddd7f3-3d9b-4927-a07a-806e8ac9486c Configure Azure Databricks workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring fc744b31-a930-4eb5-bc06-e81f98bf7214 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring a285df35-0164-4f4d-9e04-c39056742c55 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring f6d5d5d5-0fa9-4257-b820-69c35016c973 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (3.2.0-preview > 3.3.0-preview) 2023-03-27 17:43:07 BuiltIn
Monitoring 3d034ef2-001c-46f6-a47b-e6e4a74ff89b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring eb5a4c26-04cb-4ab1-81cb-726dc58df772 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 9e6aee71-3781-4acd-bba7-aac4fb067dfa Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring a853abad-dfa4-4bf5-aaa1-04cb10c02d23 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 1abe42e1-a726-4dee-94c2-79f364dac9b7 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 76539a09-021e-4300-953b-4c6018ac26dc Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring dfbfceaa-14b2-4a90-a679-d169fa6a6a38 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 0628b917-d4b4-4af5-bc2b-b4f87cd173ab Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring d9f11fea-dd45-46aa-8908-b7a146f1e543 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 9ba29e83-863d-4fec-81d0-16dd87067cc3 Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 71153be3-4742-4aae-9aec-150f7589311b Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 9c25c9e4-ee12-4882-afd2-11fb9d87893f Azure Databricks Workspaces should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-03-27 17:43:07 BuiltIn
API Management ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 API Management APIs should use only encrypted protocols To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (2.0.1 > 2.0.2) 2023-03-27 17:43:07 BuiltIn
Monitoring a81eb966-6696-46b1-9153-bed01569a7d0 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 258823f2-4595-4b52-b333-cc96192710d8 Azure Databricks Workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring a9ebdeda-251a-4311-92be-5167d73b1682 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring a142867f-3142-4ac6-b952-ab950a29fca5 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring e488a548-7afd-43a7-a903-2a6dd36e7504 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 792f8b74-dc05-44fd-b90d-340a097b80e6 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 6b2899d8-5fdf-4ade-ba59-f1f82664877b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
App Service a08ae1ab-8d1d-422b-a123-df82b307ba61 App Service app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-03-27 17:43:07 BuiltIn
Azure Databricks 09210db3-d32c-4b2b-b4e1-f72ae920eb11 Configure Azure Databricks Workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-03-27 17:43:07 BuiltIn
Monitoring 8d253bba-a338-4fd9-9752-6b6edadca1eb Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring 3a8ff864-d881-44ce-bed3-0c63ede634cb Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring ae48c709-d2b4-4fad-8c5c-838524130aa4 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring f5094957-e0f7-4af2-9e14-13d60141dc4a Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
Monitoring b9b976cc-59ef-468a-807e-19afa2ebfd52 Enable logging by category group for microsoft.network/p2svpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-27 17:43:07 BuiltIn
API Management 92bb331d-ac71-416a-8c91-02f2cb734ce4 API Management calls to API backends should not bypass certificate thumbprint or name validation To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (1.0.1 > 1.0.2) 2023-03-17 18:44:06 BuiltIn
Container Instances 21c469fa-a887-4363-88a9-60bfd6911a15 Configure diagnostics for container group to log analytics workspace Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed. Default
Append
Allowed
Append, Disabled
add
 new Policy 2023-03-17 18:44:06 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Patch (4.0.1 > 4.0.2) 2023-03-17 18:44:06 BuiltIn
Security Center e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15 [Deprecated]: Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations, This policy is deprecated because it depends on the Azure Monitoring agent, which has also been deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2023-03-17 18:44:06 BuiltIn
Machine Learning 40cec1dd-a100-4920-b15b-3024fe8901ab [Deprecated]: Azure Machine Learning workspaces should use private link This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2023-03-17 18:44:06 BuiltIn
Machine Learning 45e05259-1eb5-4f70-9574-baf73e9d219b Azure Machine Learning workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-03-17 18:44:06 BuiltIn
SignalR 21a9766a-82a5-4747-abb5-650b6dbba6d0 Azure SignalR Service should disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-03-17 18:44:06 BuiltIn
SignalR 62a3ae95-8169-403e-a2d2-b82141448092 Modify Azure SignalR Service resources to disable public network access To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Modify
Allowed
Modify, Disabled 		count: 001
SignalR/Web PubSub Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-03-17 18:44:06 BuiltIn
Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default
Audit
Allowed
Audit, Disabled
change
 Patch (2.0.0 > 2.0.1) 2023-03-17 18:44:06 BuiltIn
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 [Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day This policy is deprecated because Microsoft 365 App Compliance Program no longer checks schedule frequency on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-03-17 18:44:06 BuiltIn
Managed Grafana bc33de80-97cd-4c11-b6b4-d075e03c7d60 Configure Azure Managed Grafana workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-03-10 18:58:56 BuiltIn
Azure Databricks 2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352 Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-03-10 18:58:56 BuiltIn
Backup 04726aae-4e8d-427c-af7d-ecf56d490022 [Preview]: Configure Azure Recovery Services vaults to disable public network access Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Default
Modify
Allowed
Modify, Disabled 		count: 001
Backup Contributor
add
 new Policy 2023-03-10 18:58:56 BuiltIn
Managed Grafana 4c8537f8-cd1b-49ec-b704-18e82a42fd58 Configure Azure Managed Grafana workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2023-03-10 18:58:56 BuiltIn
Guest Configuration 3dc5edcd-002d-444c-b216-e123bbfa37c0 Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-03-03 18:43:58 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Extension for SQL Server Deployment
change
 Minor (3.2.0 > 3.3.0) 2023-03-03 18:43:58 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (3.1.0-preview > 3.2.0-preview) 2023-03-03 18:43:58 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-03-03 18:43:58 BuiltIn
Kubernetes a8e653d9-b5d4-48a0-afe6-14d881f9ee9a Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: https://aka.ms/arc-strimzikafka-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Owner
add
 new Policy 2023-03-03 18:43:58 BuiltIn
Managed Grafana e8775d5a-73b7-4977-a39b-833ef0114628 Azure Managed Grafana workspaces should disable public network access Disabling public network access improves security by ensuring that your Azure Managed Grafana workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your workspaces. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-02-27 19:03:54 BuiltIn
Security Center 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Security Center 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer 43bc7be6-5e69-4b0d-a2bb-e815557ca673 Public network access on Azure Data Explorer should be disabled Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-02-27 19:03:54 BuiltIn
Managed Grafana 3a97e513-f75e-4230-8137-1efad4eadbbc Azure Managed Grafana workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-02-27 19:03:54 BuiltIn
Kubernetes 6b2122c1-8120-4ff5-801b-17625a355590 Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer f7735886-8927-431f-b201-c953922512b8 Azure Data Explorer cluster should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer a47272e1-1d5d-4b0b-b366-4873f1432fe0 Configure Azure Data Explorer clusters with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms]. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Network Contributor
SQL Server Contributor
add
 new Policy 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer 7b32f193-cb28-4e15-9a98-b9556db0bafa Configure Azure Data Explorer to disable public network access Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters . Default
Modify
Allowed
Modify, Disabled 		count: 001
SQL Server Contributor
add
 new Policy 2023-02-27 19:03:54 BuiltIn
Automanage fb97d6e1-5c98-4743-a439-23e0977bad9e [Preview]: Boot Diagnostics should be enabled on virtual machines Azure virtual machines should have boot diagniostics enabled. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-02-27 19:03:54 BuiltIn
Kubernetes 0adc5395-9169-4b9b-8687-af838d69410a Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Kubernetes Extension Contributor
change
 Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0) 2023-02-27 19:03:54 BuiltIn
Security Center 6074e9a3-c711-4856-976d-24d51f9e065b [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Azure Data Explorer 1fec9658-933f-4b3e-bc95-913ed22d012b Azure Data Explorer should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-02-27 19:03:54 BuiltIn
Security Center f655e522-adff-494d-95c2-52d4f6d56a42 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Security Center a21f8c92-9e22-4f09-b759-50500d1d2dda [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Security Center 009259b0-12e8-42c9-94e7-7af86aa58d13 [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Reader
Virtual Machine Contributor
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Security Center c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) 2023-02-27 19:03:54 BuiltIn
Monitoring Deploy-Diagnostics-PostgreSQL [Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.1.0 > 2.0.0) 2023-02-23 23:18:45 ALZ
Monitoring Deploy-Diagnostics-Databricks [Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.2.0 > 1.3.0) 2023-02-23 23:18:45 ALZ
Desktop Virtualization ce6ebf1d-0b94-4df9-9257-d8cacc238b4f Configure Azure Virtual Desktop workspaces to disable public network access Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled 		count: 001
Desktop Virtualization Workspace Contributor
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization e84e8a9a-f43e-46e3-9458-bbcfb2d7e429 Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled 		count: 001
Desktop Virtualization Host Pool Contributor
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
 Minor (3.0.1 > 3.1.0) 2023-02-16 18:41:08 BuiltIn
Automanage fd4726f4-a5fc-4540-912d-67c96fc992d5 [Preview]: Automanage Configuration Profile Assignment should be Conformant Resources managed by Automanage should have a status of Conformant or ConformantCorrected. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 34804460-d88b-4922-a7ca-537165e060ed Configure Azure Virtual Desktop workspace resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization a22065a3-3b04-46ff-b84c-2d30e5c300d0 Azure Virtual Desktop hostpools should disable public network access only on session hosts Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization ca950cd7-02f7-422e-8c23-91ff40f169c1 Azure Virtual Desktop service should use private link Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 02aa841c-42e8-492f-a43d-1f2c67e58d41 Configure Azure Virtual Desktop workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 9427df23-0f42-4e1e-bf99-a6133d841c4a Configure Azure Virtual Desktop hostpool resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 7b331e6b-6096-4395-a754-758a64505f19 Configure Azure Virtual Desktop hostpools with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Key Vault 5f0bc445-3935-4915-9981-011aa2b46147 [Deprecated]: Private endpoint should be configured for Key Vault The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix changed: new suffix: deprecated; old suffix: preview (1.1.0-preview > 1.1.1-deprecated) 2023-02-16 18:41:08 BuiltIn
Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (3.0.1 > 3.1.0) 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 87ac3038-c07a-4b92-860d-29e270a4f3cd Azure Virtual Desktop workspaces should disable public network access Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization 2a0913ff-51e7-47b8-97bb-ea17127f7c8d Configure Azure Virtual Desktop hostpools to disable public network access Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink. Default
Modify
Allowed
Modify, Disabled 		count: 001
Desktop Virtualization Host Pool Contributor
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Desktop Virtualization c25dcf31-878f-4eba-98eb-0818fdc6a334 Azure Virtual Desktop hostpools should disable public network access Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Automanage e4953962-5ae4-43eb-bb92-d66fd5563487 [Preview]: A managed identity should be enabled on your machines Resources managed by Automanage should have a managed identity. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-02-16 18:41:08 BuiltIn
Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated) 2023-02-16 18:41:08 BuiltIn
Monitoring Deploy-Diagnostics-VNetGW [Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.1.0 > 1.1.1) 2023-02-16 16:18:41 ALZ
Monitoring Deploy-Diagnostics-Website [Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.0 > 1.2.0) 2023-02-16 16:18:41 ALZ
Monitoring 69ab8bfc-dc5b-443d-93a7-7531551dec66 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f969646f-b6b8-45a0-b736-bf9b4bb933dc Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 0628b917-d4b4-4af5-bc2b-b4f87cd173ab Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 441af8bf-7c88-4efc-bd24-b7be28d4acce Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 71153be3-4742-4aae-9aec-150f7589311b Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a142867f-3142-4ac6-b952-ab950a29fca5 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f8352124-56fa-4f94-9441-425109cdc14b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 55d1f543-d1b0-4811-9663-d6d0dbc6326d Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring e7c86682-34c1-488a-9aab-9cb279207992 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 792f8b74-dc05-44fd-b90d-340a097b80e6 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6b359d8f-f88d-4052-aa7c-32015963ecc1 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6567d3f3-42d0-4cfb-9606-9741ba60fa07 Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) 2023-02-10 18:41:56 BuiltIn
Monitoring f5094957-e0f7-4af2-9e14-13d60141dc4a Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fe85de62-a656-4b79-9d94-d95c89319bd9 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f6d5d5d5-0fa9-4257-b820-69c35016c973 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring b4a9c220-1d62-4163-a17b-30db7d5b7278 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 614d9fbd-68cd-4832-96db-3362069661b2 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 9f4e810a-899e-4e5e-8174-abfcf15739a3 Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 03a087c0-b49f-4440-9ae5-013703eccc8c Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 3a8ff864-d881-44ce-bed3-0c63ede634cb Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fc744b31-a930-4eb5-bc06-e81f98bf7214 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 39741c6f-5e8b-4511-bba4-6662d0e0e2ac Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 1513498c-3091-461a-b321-e9b433218d28 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a9ebdeda-251a-4311-92be-5167d73b1682 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring b9b976cc-59ef-468a-807e-19afa2ebfd52 Enable logging by category group for microsoft.network/p2svpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring ae48c709-d2b4-4fad-8c5c-838524130aa4 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring d147ba9f-3e17-40b1-9c23-3bca478ba804 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring dfbfceaa-14b2-4a90-a679-d169fa6a6a38 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 8656d368-0643-4374-a63f-ae0ed4da1d9a Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
SQL 146412e9-005c-472b-9e48-c87b72ac229e A Microsoft Entra administrator should be provisioned for MySQL servers Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 9e6aee71-3781-4acd-bba7-aac4fb067dfa Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Guest Configuration f40c7c00-b4e3-4068-a315-5fe81347a904 [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) 2023-02-10 18:41:56 BuiltIn
Monitoring 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 07c818eb-df75-4465-9233-6a8667e86670 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a853abad-dfa4-4bf5-aaa1-04cb10c02d23 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 0925a080-ab8d-44a1-a39c-61e184b4d8f9 Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
SQL b4dec045-250a-48c2-b5cc-e0c4eec8b5b4 A Microsoft Entra administrator should be provisioned for PostgreSQL servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 69214fad-6742-49a9-8f71-ee9d269364ab Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 818719e5-1338-4776-9a9d-3c31e4df5986 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a8de4d0a-d637-4684-b70e-6df73b74d117 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 4b05de63-3ad2-4f6d-b421-da21f1328f3b Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring d3e11828-02c8-40d2-a518-ad01508bb4d7 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
SQL b52376f7-9612-48a1-81cd-1ffe4b61032c Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.0.0 > 2.0.1) 2023-02-10 18:41:56 BuiltIn
Monitoring 34c7546c-d637-4b5d-96ab-93fb6ed07af8 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring b90ec596-faa6-4c61-9515-34085703e260 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 00ec9865-beb6-4cfd-82ed-bd8f50756acd Enable logging by category group for microsoft.network/p2svpngateways to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) 2023-02-10 18:41:56 BuiltIn
Monitoring 0da6faeb-d6c6-4f6e-9f49-06277493270b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 93a604fe-0ec2-4a99-ab8c-7ef08f05555a Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring ed6ae75a-828f-4fea-88fd-dead1145f1dd Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 3496f6fd-57ba-485c-8a14-183c4493b781 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2023-02-10 18:41:56 BuiltIn
Monitoring aec4c33f-2f2a-4fd3-91cd-24a939513c60 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 20f21bc7-b0b8-4d57-83df-5a8a0912b934 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring d9f11fea-dd45-46aa-8908-b7a146f1e543 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring e488a548-7afd-43a7-a903-2a6dd36e7504 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6b2899d8-5fdf-4ade-ba59-f1f82664877b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f873a711-0322-4744-8322-7e62950fbec2 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring f08edf17-5de2-4966-8c62-a50a3f4368ff Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring be9259e2-a221-4411-84fd-dd22c6691653 Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 14e81583-c89c-47db-af0d-f9ddddcccd9f Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a285df35-0164-4f4d-9e04-c39056742c55 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring eb5a4c26-04cb-4ab1-81cb-726dc58df772 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring a81eb966-6696-46b1-9153-bed01569a7d0 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 56288eb2-4350-461d-9ece-2bb242269dce Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 8d253bba-a338-4fd9-9752-6b6edadca1eb Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 567c93f7-3661-494f-a30f-0a94d9bfebf8 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 76539a09-021e-4300-953b-4c6018ac26dc Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring fc66c506-9397-485e-9451-acc1525f0070 Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 3dd58519-427e-42a4-8ffc-e415a3c716f1 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 480851ae-9ff3-49d1-904c-b5bd6f83f1ec Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring edf35972-ed56-4c2f-a4a1-65f0471ba702 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 0e0c742d-5031-4e65-bf96-1bee7cf55740 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring e20f31d7-6b6d-4644-962a-ae513a85ab0b Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 9ba29e83-863d-4fec-81d0-16dd87067cc3 Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring e9c56c41-d453-4a80-af93-2331afeb3d82 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 90c90eda-bfe7-4c67-bf26-410420ed1047 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 94d707a8-ce27-4851-9ce2-07dfe96a095b Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring c3b912c2-7f5b-47ac-bd52-8c85a7667961 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 6f3f5778-f809-4755-9d8f-bd5a5a7add85 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 3d034ef2-001c-46f6-a47b-e6e4a74ff89b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring b88bfd90-4da5-43eb-936f-ae1481924291 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 46b2dd5d-3936-4347-8908-b298ea4466d3 Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring b797045a-b3cd-46e4-adc4-bbadb3381d78 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 50cebe4c-8021-4f07-bcb2-6c80622444a9 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring bf6af3d2-fbd5-458f-8a40-2556cf539b45 Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring 1abe42e1-a726-4dee-94c2-79f364dac9b7 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
API Management f1cc7827-022c-473e-836e-5a51cae0b249 API Management secret named values should be stored in Azure Key Vault Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (1.0.1 > 1.0.2) 2023-02-10 18:41:56 BuiltIn
Monitoring 106cd3bd-50a1-466c-869f-f9c2d310477b Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2023-02-10 18:41:56 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (4.0.0 > 4.1.0) 2023-02-03 18:39:01 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor (2.1.0 > 2.2.0) 2023-02-03 18:39:01 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (2.0.0 > 2.1.0) 2023-02-03 18:39:01 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (2.0.0 > 2.1.0) 2023-02-03 18:39:01 BuiltIn
Monitoring f17d891d-ff20-46f2-bad3-9e0a5403a4d3 Linux Arc-enabled machines should have Azure Monitor Agent installed Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.1 > 1.1.0) 2023-02-03 18:39:01 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor (2.1.0 > 2.2.0) 2023-02-03 18:39:01 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (6.0.0 > 6.1.0) 2023-02-03 18:39:01 BuiltIn
Monitoring ec621e21-8b48-403d-a549-fc9023d4747f Windows Arc-enabled machines should have Azure Monitor Agent installed Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.1 > 1.1.0) 2023-02-03 18:39:01 BuiltIn
Key Vault a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.1 > 1.2.1) 2023-02-03 18:39:01 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Extension for SQL Server Deployment
change
 Minor (3.1.0 > 3.2.0) 2023-01-27 18:40:07 BuiltIn
Key Vault 12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5 Azure Key Vault should use RBAC permission model Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-01-27 18:40:07 BuiltIn
Network e920df7f-9a64-4066-9b58-52684c02a091 Configure network security groups to enable traffic analytics Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.1.0 > 1.2.0) 2023-01-27 18:40:07 BuiltIn
Network 5e1cd26a-5090-4fdb-9d6a-84a90335e22d Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.1.0 > 1.2.0) 2023-01-27 18:40:07 BuiltIn
Network 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 Deploy a flow log resource with target network security group Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2023-01-27 18:40:07 BuiltIn
API Management 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 API Management subscriptions should not be scoped to all APIs API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Minor (1.0.0 > 1.1.0) 2023-01-27 18:40:07 BuiltIn
SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (3.0.0 > 3.0.1) 2023-01-27 18:40:07 BuiltIn
Machine Learning Deny-MachineLearning-PublicAccessWhenBehindVnet Deny public access behind vnet to Azure Machine Learning workspace Deny public access behind vnet to Azure Machine Learning workspaces. Default
Deny
Allowed
Audit, Disabled, Deny
change
 Patch (1.0.0 > 1.0.1) 2023-01-24 24:18:06 ALZ
Kubernetes 6b2122c1-8120-4ff5-801b-17625a355590 Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-01-23 18:07:09 BuiltIn
Kubernetes 0adc5395-9169-4b9b-8687-af838d69410a Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Kubernetes Extension Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-01-23 18:07:09 BuiltIn
Backup 9798d31d-6028-4dee-8643-46102185c016 [Preview]: Soft delete should be enabled for Backup Vaults This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-01-23 18:07:09 BuiltIn
Key Vault ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-01-23 18:07:09 BuiltIn
Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (2.0.0 > 2.1.0) 2023-01-23 18:07:09 BuiltIn
Key Vault ed7c8c13-51e7-49d1-8a43-8490431a0da2 Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (3.0.0 > 3.0.1) 2023-01-23 18:07:09 BuiltIn
Backup 2514263b-bc0d-4b06-ac3e-f262c0979018 [Preview]: Immutability must be enabled for backup vaults This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2023-01-23 18:07:09 BuiltIn
Key Vault a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-01-23 18:07:09 BuiltIn
Key Vault 9d4fad1f-5189-4a42-b29e-cf7929c6b6df Configure Azure Key Vaults with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Key Vault Contributor
Network Contributor
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2023-01-23 18:07:09 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.0.0 > 9.1.0) 2023-01-13 18:06:06 BuiltIn
Data Factory f78ccdb4-7bf4-4106-8647-270491d2978a Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Version remains equal, old suffix: preview (2.0.0-preview > 2.0.0) 2023-01-13 18:06:06 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch, new suffix: preview (1.0.0 > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
Data Factory 77d40665-3120-4348-b539-3192ec808307 Azure Data Factory should use a Git repository for source control Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2023-01-13 18:06:06 BuiltIn
Web PubSub 17f9d984-90c8-43dd-b7a6-76cb694815c1 Configure Azure Web PubSub Service to disable local authentication Disable local authentication methods so that your Azure Web PubSub Service exclusively requires Azure Active Directory identities for authentication. Default
Modify
Allowed
Modify, Disabled 		count: 001
SignalR/Web PubSub Contributor
add
 new Policy 2023-01-13 18:06:06 BuiltIn
Key Vault e58fd0c1-feac-4d12-92db-0a7e9421f53e [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
Security Center 7926a6d1-b268-4586-8197-e8ae90c877d7 Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, new suffix: preview (1.0.0 > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
Container Registry e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Patch (1.0.0 > 1.0.1) 2023-01-13 18:06:06 BuiltIn
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (4.0.0 > 4.1.0) 2023-01-13 18:06:06 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Patch (4.0.0 > 4.0.1) 2023-01-13 18:06:06 BuiltIn
SQL 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9 [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports This policy is deprecated. The policy ensures that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2023-01-13 18:06:06 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.0.0 > 9.1.0) 2023-01-13 18:06:06 BuiltIn
Data Factory 127ef6d7-242f-43b3-9eef-947faf1725d0 Azure Data Factory linked services should use Key Vault for storing secrets To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2023-01-13 18:06:06 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.0.0 > 9.1.0) 2023-01-13 18:06:06 BuiltIn
Service Bus cbd11fd3-3002-4907-b6c8-579f0e700e13 Service Bus Namespaces should disable public network access Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2023-01-13 18:06:06 BuiltIn
App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2023-01-13 18:06:06 BuiltIn
General a451c1ef-c6ca-483d-87ed-f49761e3ffb5 Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2023-01-13 18:06:06 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2023-01-13 18:06:06 BuiltIn
Key Vault ad27588c-0198-4c84-81ef-08efd0274653 [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
Key Vault 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 [Preview]: Azure Key Vault Managed HSM keys should have an expiration date To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
SQL 86a912f6-9a06-4e26-b447-11b16ba8659f Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL DB Contributor
change
 Minor (2.1.0 > 2.2.0) 2023-01-13 18:06:06 BuiltIn
Data Factory 85bb39b5-2f66-49f8-9306-77da3ac5130f Azure Data Factory integration runtime should have a limit for number of cores To manage your resources and costs, limit the number of cores for an integration runtime. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2023-01-13 18:06:06 BuiltIn
Event Hub 0602787f-9896-402a-a6e1-39ee63ee435e Event Hub Namespaces should disable public network access Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-01-13 18:06:06 BuiltIn
Backup 9ebbbba3-4d65-4da9-bb67-b22cfaaff090 [Preview]: Azure Recovery Services vaults should disable public network access Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-01-13 18:06:06 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (9.0.0 > 9.1.0) 2023-01-13 18:06:06 BuiltIn
Key Vault 86810a98-8e91-4a44-8386-ec66d0de5d57 [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2023-01-13 18:06:06 BuiltIn
Machine Learning ee40564d-486e-4f68-a5ca-7a621edae0fb Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Minor (1.0.0 > 1.1.0) 2023-01-13 18:06:06 BuiltIn
Data Factory 6809a3d0-d354-42fb-b955-783d207c62a8 Azure Data Factory linked service resource type should be in allow list Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2023-01-13 18:06:06 BuiltIn
Web PubSub b66ab71c-582d-4330-adfd-ac162e78691e Azure Web PubSub Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Web PubSub Service exclusively require Azure Active Directory identities for authentication. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2023-01-13 18:06:06 BuiltIn
Machine Learning f110a506-2dcb-422e-bcea-d533fc8c35e2 Azure Machine Learning compute instances should be recreated to get the latest software updates Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/. Fixed
[parameters('effects')]
add
 new Policy 2023-01-13 18:06:06 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2023-01-04 18:03:56 BuiltIn
Guest Configuration 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 [Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2023-01-04 18:03:56 BuiltIn
SQL Deploy-Sql-vulnerabilityAssessments [Deprecated]: Deploy SQL Database vulnerability Assessments Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 003
Monitoring Contributor
SQL Security Manager
Storage Account Contributor
change
 Patch (1.0.0 > 1.0.1)

Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ		 2023-01-04 04:18:03 ALZ
Security Center Deploy-ASC-SecurityContacts Deploy Microsoft Defender for Cloud Security Contacts Deploy Microsoft Defender for Cloud Security Contacts Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Minor (1.0.0 > 1.1.0) 2022-12-28 28:18:06 ALZ
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d2c Configure ChangeTracking Extension for Windows virtual machine scale sets Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Security Center d30025d0-6d64-656d-6465-67688881b632 [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Major, suffix remains equal (2.0.1-preview > 3.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (3.0.0 > 4.0.0) 2022-12-21 17:43:51 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-12-21 17:43:51 BuiltIn
Storage 7bd000e3-37c7-4928-9f31-86c4b77c5c45 Configure diagnostic settings for Queue Services to Log Analytics workspace Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (4.0.0 > 4.0.1) 2022-12-21 17:43:51 BuiltIn
App Service 33228571-70a4-4fa1-8ca1-26d0aba8d6ef [Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-12-21 17:43:51 BuiltIn
App Service a691eacb-474d-47e4-b287-b4813ca44222 App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring 7f89b1eb-583c-429a-8828-af049802c1d9 Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. Fixed
AuditIfNotExists
change
 Patch (2.0.0 > 2.0.1) 2022-12-21 17:43:51 BuiltIn
Security Center 10caed8a-652c-4d1d-84e4-2805b7c07278 Configure ChangeTracking Extension for Linux Arc machines Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-12-21 17:43:51 BuiltIn
Machine Learning f59276f0-5740-4aaf-821d-45d185aa210e Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Guest Configuration cd22fc48-f2c9-4b86-98d3-ec1268b46a8a Configure Linux Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory a7acfae7-9497-4a3f-a3b5-a16a50abbe2f Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Machine Learning afe0c3be-ba3b-4544-ba52-0c99672a8ad6 Resource logs in Azure Machine Learning Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (3.0.0 > 4.0.0) 2022-12-21 17:43:51 BuiltIn
Azure Databricks 51c1490f-3319-459c-bbbc-7f391bbed753 Azure Databricks Clusters should disable public IP Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (5.0.0 > 6.0.0) 2022-12-21 17:43:51 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (3.0.0 > 4.0.0) 2022-12-21 17:43:51 BuiltIn
Security Center 938c4981-c2c9-4168-9cd6-972b8675f906 Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-12-21 17:43:51 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4cd5 Configure ChangeTracking Extension for Windows Arc machines Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Kubernetes c5110b6e-5272-4989-9935-59ad06fdf341 Azure Kubernetes Clusters should enable Container Storage Interface(CSI) The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 1142b015-2bd7-41e0-8645-a531afe09a1e Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Security Center f08f556c-12ff-464d-a7de-40cb5b6cccec Configure ChangeTracking Extension for Windows virtual machines Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory ef9fe2ce-a588-4edd-829c-6247069dcfdb Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Security Center 1288c8d7-4b05-4e3a-bc88-9053caefc021 Configure ChangeTracking Extension for Linux virtual machine scale sets Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Guest Configuration 5fe81c49-16b6-4870-9cee-45d13bf902ce Local authentication methods should be disabled on Windows Servers Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows servers don't have local authentication methods disabled. This is to validate that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory b6faa975-0add-4f35-8d1c-70bba45c4424 Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.1 > 2.0.0) 2022-12-21 17:43:51 BuiltIn
Azure Databricks 138ff14d-b687-4faa-a81c-898c91a87fa2 Resource logs in Azure Databricks Workspaces should be enabled Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Security Center ec88097d-843f-4a92-8471-78016d337ba4 Configure ChangeTracking Extension for Linux virtual machines Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Guest Configuration 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 [Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-12-21 17:43:51 BuiltIn
App Service f5c0bfb3-acea-47b1-b477-b0edcdf6edc1 App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.1 > 2.0.0) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 8fd85785-1547-4a4a-bf90-d5483c9571c5 Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machine scale sets to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major, suffix remains equal (2.1.1-preview > 3.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Storage 2fb86bf3-d221-43d1-96d1-2434af34eaa0 Configure diagnostic settings for Table Services to Log Analytics workspace Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (4.0.0 > 4.0.1) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 4485d24b-a9d3-4206-b691-1fad83bc5007 Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Security Center 8893442c-e7cb-4637-bab8-299a5d4ed96a [Preview]: ChangeTracking extension should be installed on your Linux virtual machine Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Azure Databricks 23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d00 ChangeTracking extension should be installed on your Windows virtual machine scale sets Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
Security Center e71c1e29-9c76-4532-8c4b-cb0573b0014c ChangeTracking extension should be installed on your Linux virtual machine scale sets Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
App Service 801543d1-1953-4a90-b8b0-8cf6d41473a5 App Service apps should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory ad1eeff9-20d7-4c82-a04e-903acab0bfc1 Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory bef2d677-e829-492d-9a3d-f5a20fda818f Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Security Center 221aac80-54d8-484b-83d7-24f4feac2ce0 [Preview]: ChangeTracking extension should be installed on your Windows virtual machine Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
App Service ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-12-21 17:43:51 BuiltIn
App Service 5747353b-1ca9-42c1-a4dd-b874b894f3d4 App Service app slots should enable configuration routing to Azure Virtual Network By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Guest Configuration fad40cac-a972-4db0-b204-f1b15cced89a Local authentication methods should be disabled on Linux machines Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Azure Connected Machine Resource Administrator
change
 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-12-21 17:43:51 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5192 Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-12-21 17:43:51 BuiltIn
Monitoring Deploy-Diagnostics-DataFactory [Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.0 > 1.2.0) 2022-12-16 16:17:44 ALZ
SQL ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-12-09 17:45:23 BuiltIn
Monitoring c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. Fixed
deployIfNotExists 		count: 002
Monitoring Contributor
Storage Account Contributor
change
 Patch (2.0.0 > 2.0.1) 2022-12-09 17:45:23 BuiltIn
Monitoring Deploy-Diagnostics-LogAnalytics [Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-11-22 22:17:43 ALZ
Monitoring Deploy-Diagnostics-Databricks [Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.0 > 1.2.0) 2022-11-21 21:17:43 ALZ
SQL Deploy-Sql-Tde [Deprecated] Deploy SQL Database Transparent Data Encryption Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Security Manager
change
 Minor (1.0.0 > 1.1.0)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn		 2022-11-17 17:17:42 ALZ
SQL Deploy-Sql-SecurityAlertPolicies Deploy SQL Database security Alert Policies configuration with email admin accounts Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Security Manager
change
 Minor (1.0.0 > 1.1.1) 2022-11-17 17:17:42 ALZ
Network Deny-PublicIP [Deprecated] Deny the creation of public IP [Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters. Default
Deny
Allowed
Audit, Deny, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Not allowed resource types (6c112d4e-5bc7-47ae-a041-ea2d9dccd749) BuiltIn		 2022-11-14 14:17:43 ALZ
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.1.0 > 2.0.0) 2022-11-04 17:41:52 BuiltIn
Security Center 1f90fc71-a595-4066-8974-d4d0802e8ef0 Microsoft Defender CSPM should be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-11-04 17:41:52 BuiltIn
Security Center 689f7782-ef2c-4270-a6d0-7664869076bd Configure Microsoft Defender CSPM to be enabled Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
add
 new Policy 2022-11-04 17:41:52 BuiltIn
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca [Deprecated]: Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Patch (3.0.0 > 3.0.1) 2022-11-04 17:41:52 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.1.0 > 2.0.0) 2022-11-04 17:41:52 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.1.0 > 3.0.0) 2022-11-04 17:41:52 BuiltIn
Network Deploy-DDoSProtection Deploy an Azure DDoS Network Protection Deploys an Azure DDoS Network Protection Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-11-03 03:17:41 ALZ
Monitoring Deploy-Nsg-FlowLogs-to-LA [Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics [Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 005
Contributor
Log Analytics Contributor
Network Contributor
Storage Account Contributor
Storage Account Key Operator Service Role
change
 Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

Superseded by: Configure network security groups to enable traffic analytics (e920df7f-9a64-4066-9b58-52684c02a091) BuiltIn		 2022-11-02 02:17:41 ALZ
Monitoring Deploy-Nsg-FlowLogs [Deprecated] Deploys NSG flow logs and traffic analytics [Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure network security groups to enable traffic analytics (e920df7f-9a64-4066-9b58-52684c02a091) BuiltIn		 2022-11-02 02:17:41 ALZ
Kubernetes 5485eac0-7e8f-4964-998b-a44f4f0c1e75 Kubernetes cluster Windows containers should not run as ContainerAdministrator Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-10-28 16:42:53 BuiltIn
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-10-28 16:42:53 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-10-28 16:42:53 BuiltIn
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Major (1.0.0 > 2.0.0) 2022-10-28 16:42:53 BuiltIn
Automation dea83a72-443c-4292-83d5-54a2f98749c0 Automation Account should have Managed Identity Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-10-28 16:42:53 BuiltIn
Security Center 938c4981-c2c9-4168-9cd6-972b8675f906 Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-10-28 16:42:53 BuiltIn
Monitoring Deploy-Diagnostics-Firewall [Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-MediaService [Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-TimeSeriesInsights [Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-NIC [Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-NetworkSecurityGroups [Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-DLAnalytics [Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-MlWorkspace [Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.0 > 1.2.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-VirtualNetwork [Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-LoadBalancer [Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-RedisCache [Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-EventGridSub [Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-DataExplorerCluster [Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-AnalysisService [Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-SQLElasticPools [Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-TrafficManager [Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-EventGridSystemTopic [Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-WVDHostPools [Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.0 > 1.2.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-VM [Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-CDNEndpoints [Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-WebServerFarm [Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-HDInsight [Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-CosmosDB [Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-MySQL [Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Bastion [Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-PowerBIEmbedded [Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-ApiForFHIR [Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-APIMgmt [Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-SignalR [Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-iotHub [Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-AA [Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-ACR [Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Relay [Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-VNetGW [Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-DataFactory [Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-CognitiveServices [Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Databricks [Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-WVDAppGroup [Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.1 > 1.1.1) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-SQLMI [Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-AVDScalingPlans [Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-WVDWorkspace [Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.1 > 1.1.1) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-ACI [Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-ExpressRoute [Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-EventGridTopic [Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-LogicAppsISE [Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-MariaDB [Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-FrontDoor [Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Website [Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-ApplicationGateway [Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-PostgreSQL [Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-VMSS [Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Monitoring Deploy-Diagnostics-Function [Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-25 25:16:43 ALZ
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 Azure Kubernetes Service Clusters should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-10-21 16:42:13 BuiltIn
Regulatory Compliance a3e98638-51d4-4e28-910a-60e98c1a756f Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Default
Manual
Allowed
Manual, Disabled
change
 Patch (1.1.0 > 1.1.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview) 2022-10-21 16:42:13 BuiltIn
Regulatory Compliance f33c3238-11d2-508c-877c-4262ec1132e1 Recover and reconstitute resources after any disruption CMA_C1295 - Recover and reconstitute resources after any disruption Default
Manual
Allowed
Manual, Disabled
change
 Patch (1.1.0 > 1.1.1) 2022-10-21 16:42:13 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2022-10-21 16:42:13 BuiltIn
Kubernetes 89f2d532-c53c-4f8f-9afa-4927b1114a0d Azure Kubernetes Service Clusters should disable Command Invoke Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) 2022-10-21 16:42:13 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (8.0.0 > 8.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (2.0.0 > 2.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 41425d9f-d1a5-499a-9932-f8ed8453932c Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.0 > 7.0.1) 2022-10-21 16:42:13 BuiltIn
Monitoring 8a04f872-51e9-4313-97fb-fc1c3543011c Azure Application Gateway should have Resource logs enabled Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-21 16:42:13 BuiltIn
Regulatory Compliance 62fa14f0-4cbe-762d-5469-0899a99b98aa Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Default
Manual
Allowed
Manual, Disabled
change
 Patch (1.1.0 > 1.1.1) 2022-10-21 16:42:13 BuiltIn
Regulatory Compliance f801d58e-5659-9a4a-6e8d-02c9334732e5 Restore resources to operational state CMA_C1297 - Restore resources to operational state Default
Manual
Allowed
Manual, Disabled
change
 Patch (1.1.0 > 1.1.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.0 > 7.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (3.0.0 > 3.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
 Patch (3.0.0 > 3.0.1) 2022-10-21 16:42:13 BuiltIn
Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed
deployIfNotExists 		count: 001
Log Analytics Contributor
change
 Major (4.0.0 > 5.0.0) 2022-10-21 16:42:13 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (9.0.0 > 9.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2022-10-21 16:42:13 BuiltIn
Storage b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb Configure diagnostic settings for Blob Services to Log Analytics workspace Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (3.0.0 > 4.0.0) 2022-10-21 16:42:13 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2022-10-21 16:42:13 BuiltIn
Regulatory Compliance 22a02c9a-49e4-5dc9-0d14-eb35ad717154 Obtain design and implementation information for the security controls CMA_C1576 - Obtain design and implementation information for the security controls Default
Manual
Allowed
Manual, Disabled
change
 Patch (1.1.0 > 1.1.1) 2022-10-21 16:42:13 BuiltIn
Storage 25a70cc8-2bd4-47f1-90b6-1478e4662c96 Configure diagnostic settings for File Services to Log Analytics workspace Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (3.0.0 > 4.0.0) 2022-10-21 16:42:13 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2022-10-21 16:42:13 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2022-10-21 16:42:13 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.0 > 7.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Patch (1.0.0 > 1.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (8.0.0 > 8.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2022-10-21 16:42:13 BuiltIn
Monitoring 8a04f872-51e9-4313-97fb-fc1c35430fd8 Azure Front Door should have Resource logs enabled Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-21 16:42:13 BuiltIn
Regulatory Compliance 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Default
Manual
Allowed
Manual, Disabled
change
 Patch (1.1.0 > 1.1.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (3.0.0 > 3.0.1) 2022-10-21 16:42:13 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-10-21 16:42:13 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes da6e2401-19da-4532-9141-fb8fbde08431 Azure Kubernetes Service Clusters should use managed identities Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.0 > 7.0.1) 2022-10-21 16:42:13 BuiltIn
Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed
deployIfNotExists 		count: 001
Virtual Machine Contributor
change
 Major (4.0.0 > 5.0.0) 2022-10-21 16:42:13 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.0 > 7.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (3.0.0 > 3.0.1) 2022-10-21 16:42:13 BuiltIn
Regulatory Compliance e3905a3c-97e7-0b4f-15fb-465c0927536f Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Default
Manual
Allowed
Manual, Disabled
change
 Patch (1.1.0 > 1.1.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (9.0.0 > 9.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2022-10-21 16:42:13 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Extension for SQL Server Deployment
change
 Minor (3.0.0 > 3.1.0) 2022-10-21 16:42:13 BuiltIn
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (8.0.0 > 8.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 040732e8-d947-40b8-95d6-854c95024bf8 Azure Kubernetes Service Private Clusters should be enabled Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2022-10-21 16:42:13 BuiltIn
Storage 59759c62-9a22-4cdf-ae64-074495983fef Configure diagnostic settings for Storage Accounts to Log Analytics workspace Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (3.0.0 > 4.0.0) 2022-10-21 16:42:13 BuiltIn
Storage 7bd000e3-37c7-4928-9f31-86c4b77c5c45 Configure diagnostic settings for Queue Services to Log Analytics workspace Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (3.0.0 > 4.0.0) 2022-10-21 16:42:13 BuiltIn
Automanage 270610db-8c04-438a-a739-e8e6745b22d3 [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix changed: new suffix: deprecated; old suffix: version (4.1.0-version-deprecated > 4.1.1-deprecated) 2022-10-21 16:42:13 BuiltIn
Kubernetes 46238e2f-3f6f-4589-9f3f-77bed4116e67 Azure Kubernetes Clusters should use Azure CNI Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-10-21 16:42:13 BuiltIn
Storage 2fb86bf3-d221-43d1-96d1-2434af34eaa0 Configure diagnostic settings for Table Services to Log Analytics workspace Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (3.0.0 > 4.0.0) 2022-10-21 16:42:13 BuiltIn
Automanage f889cab7-da27-4c41-a3b0-de1f6f87c550 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (2.2.0 > 2.3.0) 2022-10-21 16:42:13 BuiltIn
Kubernetes 450d2877-ebea-41e8-b00c-e286317d21bf Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-10-21 16:42:13 BuiltIn
Automanage b025cfb4-3702-47c2-9110-87fe0cfcc99b Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.2.0 > 1.3.0) 2022-10-21 16:42:13 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 7d7be79c-23ba-4033-84dd-45e2a5ccdd67 Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (8.0.0 > 8.0.1) 2022-10-21 16:42:13 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (9.0.0 > 9.0.1) 2022-10-21 16:42:13 BuiltIn
App Service 2d048aca-6479-4923-88f5-e2ac295d9af3 App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-10-14 16:34:37 BuiltIn
Guest Configuration 63594bb8-43bb-4bf0-bbf8-c67e5c28cb65 [Preview]: Linux machines should meet STIG compliance requirement for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-14 16:34:37 BuiltIn
App Service 4ee5b817-627a-435a-8932-116193268172 App Service app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (4.0.0 > 4.0.1) 2022-10-07 16:34:28 BuiltIn
App Service ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd [Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
Synapse c3624673-d2ff-48e0-b28c-5de1c6767c3c Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service a08ae1ab-8d1d-422b-a123-df82b307ba61 App Service app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 70adbb40-e092-42d5-a6f8-71c540a5efdb Configure Function app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-10-07 16:34:28 BuiltIn
Synapse 8b5c654c-fb07-471b-aa8f-15fea733f140 Configure Azure Synapse Workspace Dedicated SQL minimum TLS version Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-10-07 16:34:28 BuiltIn
App Service e2c1c086-2d84-4019-bff3-c44ccd95113c Function apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (3.0.0 > 4.0.0) 2022-10-07 16:34:28 BuiltIn
Azure Arc d6eeba80-df61-4de5-8772-bc1b7852ba6b Configure Azure Arc Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 003
Azure Connected Machine Resource Administrator
Kubernetes Cluster - Azure Arc Onboarding
Network Contributor
change
 Major (1.0.0 > 2.0.0) 2022-10-07 16:34:28 BuiltIn
Azure Arc 12e7176a-4919-47ef-922b-34eda4c7f0ce Azure Arc-enabled kubernetes clusters should be configured with an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service a096cbd0-4693-432f-9374-682f485f23f3 Configure Function apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Website Contributor
change
 Major (1.0.0 > 2.0.0) 2022-10-07 16:34:28 BuiltIn
App Service 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 Function app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (1.0.0 > 2.0.0) 2022-10-07 16:34:28 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Extension for SQL Server Deployment
change
 Major (2.1.0 > 3.0.0) 2022-10-07 16:34:28 BuiltIn
App Service fa98f1b1-1f56-4179-9faf-93ad82f3458f Function app slots should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
Azure Arc 55c4db33-97b0-437b-8469-c4f4498f5df9 Configure Azure Arc Private Link Scopes to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Minor (1.0.0 > 1.2.0) 2022-10-07 16:34:28 BuiltIn
App Service ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d Configure App Service apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-10-07 16:34:28 BuiltIn
Kubernetes dbbdc317-9734-4dd8-9074-993b29c69008 Azure Kubernetes Clusters should enable Key Management Service (KMS) Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) 2022-10-07 16:34:28 BuiltIn
App Service 4a15c15f-90d5-4a1f-8b63-2903944963fd App Service app slots should use managed identity Use a managed identity for enhanced authentication security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 242222f3-4985-4e99-b5ef-086d6a6cb01c Configure Function app slots to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Operator
Network Contributor
Website Contributor
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service cca5adfe-626b-4cc6-8522-f5b6ed2391bd Configure App Service app slots to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-10-07 16:34:28 BuiltIn
Synapse 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 81dff7c0-4020-4b58-955d-c076a2136b56 [Deprecated]: Configure App Services to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-10-07 16:34:28 BuiltIn
App Service 014664e7-e348-41a3-aeb9-566e4ff6a9df Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 4dcfb8b5-05cd-4090-a931-2ec29057e1fc App Service app slots should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 08cf2974-d178-48a0-b26d-f6b8e555748b Configure Function app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Website Contributor
change
 Major (1.0.0 > 2.0.0) 2022-10-07 16:34:28 BuiltIn
Azure Arc 4002015b-1272-4dfb-8943-fed4aeec39b6 Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Modify
Allowed
Modify, Disabled 		count: 001
Kubernetes Cluster - Azure Arc Onboarding
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 Configure Function apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-10-07 16:34:28 BuiltIn
App Service 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 [Deprecated]: App Services should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-10-07 16:34:28 BuiltIn
App Service 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (4.0.0 > 5.0.0) 2022-10-07 16:34:28 BuiltIn
App Service ae1b9a8c-dfce-4605-bd91-69213b4a26fc App Service app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (1.0.0 > 2.0.0) 2022-10-07 16:34:28 BuiltIn
App Service d639b3af-a535-4bef-8dcf-15078cddf5e2 App Service app slots should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
Synapse cb3738a6-82a2-4a18-b87b-15217b9deff4 Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-10-07 16:34:28 BuiltIn
App Service c6c3e00e-d414-4ca4-914f-406699bb8eee Configure App Service app slots to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Operator
Network Contributor
Website Contributor
add
 new Policy 2022-10-07 16:34:28 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Major, suffix remains equal (1.1.1-preview > 2.0.0-preview) 2022-10-07 16:34:28 BuiltIn
App Service fa3a6357-c6d6-4120-8429-855577ec0063 Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 8c122334-9d20-4eb8-89ea-ac9a705b74ae App Service apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (3.0.0 > 4.0.0) 2022-10-07 16:34:28 BuiltIn
App Service 11c82d0c-db9f-4d7b-97c5-f3f9aa957da2 Function app slots should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 1b5ef780-c53c-4a64-87f3-bb9c8c8094ba App Service apps should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service deb528de-8f89-4101-881c-595899253102 Function app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 0f98368e-36bc-4716-8ac2-8f8067203b63 Configure App Service apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Website Contributor
change
 Major (1.0.0 > 2.0.0) 2022-10-07 16:34:28 BuiltIn
Health Data Services workspace 64528841-2f92-43f6-a137-d52e5c3dbeac Azure Health Data Services workspace should use private link Health Data Services workspace should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/healthcareapisprivatelink. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-10-07 16:34:28 BuiltIn
App Service f9d614c5-c173-4d56-95a7-b4437057d193 Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-10-07 16:34:28 BuiltIn
App Service a18c77f2-3d6d-497a-9f61-849a7e8a3b79 Configure App Service app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Website Contributor
change
 Major (1.0.0 > 2.0.0) 2022-10-07 16:34:28 BuiltIn
App Service 89691ef9-8c50-49a8-8950-9c7fba41699e Function app slots should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 2374605e-3e0b-492b-9046-229af202562c Configure App Service apps to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Operator
Network Contributor
Website Contributor
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 969ac98b-88a8-449f-883c-2e9adb123127 Function apps should disable public network access Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service a4af4a39-4135-47fb-b175-47fbdf85311d App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (3.0.0 > 4.0.0) 2022-10-07 16:34:28 BuiltIn
App Service cd794351-e536-40f4-9750-503a463d8cad Configure Function apps to disable public network access Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Operator
Network Contributor
Website Contributor
add
 new Policy 2022-10-07 16:34:28 BuiltIn
App Service 701a595d-38fb-4a66-ae6d-fb3735217622 App Service app slots should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-10-07 16:34:28 BuiltIn
Monitoring 7f89b1eb-583c-429a-8828-af049802c1d9 Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. Fixed
AuditIfNotExists
change
 Major (1.1.0 > 2.0.0) 2022-10-05 16:36:28 BuiltIn
Security Center 62b52eae-c795-44e3-94e8-1b3d264766fb [Deprecated]: Azure Security agent should be installed on your Linux virtual machine scale sets Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-09-30 16:34:23 BuiltIn
Guest Configuration 3dc5edcd-002d-444c-b216-e123bbfa37c0 Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-30 16:34:23 BuiltIn
Security Center 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 [Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (6.0.0-preview > 7.0.0-preview) 2022-09-30 16:34:23 BuiltIn
Security Center 808a7dc4-49f2-4e7b-af75-d14e561c244a [Deprecated]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-09-30 16:34:23 BuiltIn
Security Center bb2c6c6d-14bc-4443-bef3-c6be0adc6076 [Deprecated]: Azure Security agent should be installed on your Windows virtual machines Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-09-30 16:34:23 BuiltIn
Security Center e8794316-d918-4565-b57d-6b38a06381a0 [Deprecated]: Azure Security agent should be installed on your Linux virtual machines Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-09-30 16:34:23 BuiltIn
Security Center 1537496a-b1e8-482b-a06a-1cc2415cdc7b [Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-09-30 16:34:23 BuiltIn
Security Center e16f967a-aa57-4f5e-89cd-8d1434d0a29a [Deprecated]: Azure Security agent should be installed on your Windows virtual machine scale sets Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-09-30 16:34:23 BuiltIn
Synapse cfaf0007-99c7-4b01-b36b-4048872ac978 Azure Synapse Analytics dedicated SQL pools should enable encryption Enable transparent data encryption for Azure Synapse Analytics dedicated SQL pools to protect data-at-rest and meet compliance requirements. Please note that enabling transparent data encryption for the pool may impact query performance. More details can refer to https://go.microsoft.com/fwlink/?linkid=2147714 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-30 16:34:23 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-30 16:34:23 BuiltIn
Security Center 6654c8c4-e6f8-43f8-8869-54327af7ce32 [Deprecated]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-09-30 16:34:23 BuiltIn
Regulatory Compliance 4aacaec9-0628-272c-3e83-0d68446694e0 Manage Authenticators CMA_C1321 - Manage Authenticators Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e54901fe-42c2-7f3b-3c5f-327aa5320a69 Automate information sharing decisions CMA_0028 - Automate information sharing decisions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e4e1f896-8a93-1151-43c7-0ad23b081ee2 Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e714b481-8fac-64a2-14a9-6f079b2501a4 Use privileged identity management CMA_0533 - Use privileged identity management Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance fc26e2fd-3149-74b4-5988-d64bb90f8ef7 Separately store backup information CMA_C1293 - Separately store backup information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance cc057769-01d9-95ad-a36f-1e62a7f9540b Update POA&M items CMA_C1157 - Update POA&M items Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 874a6f2e-2098-53bc-3a16-20dcdc425a7e Create configuration plan protection CMA_C1233 - Create configuration plan protection Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 28aa060e-25c7-6121-05d8-a846f11433df Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance bfc540fe-376c-2eef-4355-121312fa4437 Maintain separate execution domains for running processes CMA_C1665 - Maintain separate execution domains for running processes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b8587fce-138f-86e8-33a3-c60768bf1da6 Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2e7a98c9-219f-0d58-38dc-d69038224442 Protect the information security program plan CMA_C1732 - Protect the information security program plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e Implement methods for consumer requests CMA_0319 - Implement methods for consumer requests Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7d7a8356-5c34-9a95-3118-1424cfaf192a Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 08c11b48-8745-034d-1c1b-a144feec73b9 Restrict use of open source software CMA_C1237 - Restrict use of open source software Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f27a298f-9443-014a-0d40-fef12adf0259 Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1 Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance eb8a8df9-521f-3ccd-7e2c-3d1fcc812340 Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 68a39c2b-0f17-69ee-37a3-aa10f9853a08 Establish voip usage restrictions CMA_0280 - Establish voip usage restrictions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d25cbded-121e-0ed6-1857-dc698c9095b1 Take action in response to customer information CMA_C1554 - Take action in response to customer information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance dbcef108-7a04-38f5-8609-99da110a2a57 Determine information protection needs CMA_C1750 - Determine information protection needs Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5023a9e7-8e64-2db6-31dc-7bce27f796af Provide privacy notice to the public and to individuals CMA_C1861 - Provide privacy notice to the public and to individuals Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b8dad106-6444-5f55-307e-1e1cc9723e39 Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8e920169-739d-40b5-3f99-c4d855327bb2 Prohibit binary/machine-executable code CMA_C1717 - Prohibit binary/machine-executable code Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d9edcea6-6cb8-0266-a48c-2061fbac4310 Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance cbfa1bd0-714d-8d6f-0480-2ad6a53972df Define and document government oversight CMA_C1587 - Define and document government oversight Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 058e9719-1ff9-3653-4230-23f76b6492e0 Enforce security configuration settings CMA_0249 - Enforce security configuration settings Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 13939f8c-4cd5-a6db-9af4-9dfec35e3722 Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 41172402-8d73-64c7-0921-909083c086b0 Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 92ede480-154e-0e22-4dca-8b46a74a3a51 Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 95eb7d09-9937-5df9-11d9-20317e3f60df Provide formal notice to individuals CMA_C1864 - Provide formal notice to individuals Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance be1c34ab-295a-07a6-785c-36f63c1d223e Obtain user security function documentation CMA_C1581 - Obtain user security function documentation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 271a3e58-1b38-933d-74c9-a580006b80aa Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 677e1da4-00c3-287a-563d-f4a1cf9b99a0 Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance db580551-0b3c-4ea1-8a4c-4cdb5feb340f Provide the logout capability CMA_C1055 - Provide the logout capability Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 79365f13-8ba4-1f6c-2ac4-aa39929f56d0 Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ad1d562b-a04b-15d3-6770-ed310b601cb5 Publish rules and regulations accessing Privacy Act records CMA_C1847 - Publish rules and regulations accessing Privacy Act records Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2 Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance bf883b14-9c19-0f37-8825-5e39a8b66d5b Perform threat modeling CMA_0392 - Perform threat modeling Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 94c842e3-8098-38f9-6d3f-8872b790527d Remove or redact any PII CMA_C1833 - Remove or redact any PII Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9c93ef57-7000-63fb-9b74-88f2e17ca5d2 Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7ad83b58-2042-085d-08f0-13e946f26f89 Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b262e1dd-08e9-41d4-963a-258909ad794b Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3bd4e0af-7cbb-a3ec-4918-056a3c017ae2 Keep SORNs updated CMA_C1863 - Keep SORNs updated Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 60442979-6333-85f0-84c5-b887bac67448 Evaluate alternate processing site capabilities CMA_C1266 - Evaluate alternate processing site capabilities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb Document customer-defined actions CMA_C1582 - Document customer-defined actions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e6f7b584-877a-0d69-77d4-ab8b923a9650 Document separation of duties CMA_0204 - Document separation of duties Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7 Define a physical key management process CMA_0115 - Define a physical key management process Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance de251b09-4a5e-1204-4bef-62ac58d47999 Adjust level of audit review, analysis, and reporting CMA_C1123 - Adjust level of audit review, analysis, and reporting Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3881168c-5d38-6f04-61cc-b5d87b2c4c58 Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e0c480bf-0d68-a42d-4cbb-b60f851f8716 Implement personnel screening CMA_0322 - Implement personnel screening Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ae5345d5-8dab-086a-7290-db43a3272198 Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8 Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 77acc53d-0f67-6e06-7d04-5750653d4629 Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2d2ca910-7957-23ee-2945-33f401606efc Accept only FICAM-approved third-party credentials CMA_C1348 - Accept only FICAM-approved third-party credentials Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 676c3c35-3c36-612c-9523-36d266a65000 Require developers to provide training CMA_C1611 - Require developers to provide training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5fe84a4c-1b0c-a738-2aba-ed49c9069d3b Prohibit unfair practices CMA_0396 - Prohibit unfair practices Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 92a7591f-73b3-1173-a09c-a08882d84c70 Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 611ebc63-8600-50b6-a0e3-fef272457132 Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b2d3e5a2-97ab-5497-565a-71172a729d93 Protect passwords with encryption CMA_0408 - Protect passwords with encryption Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Security Center f655e522-adff-494d-95c2-52d4f6d56a42 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0 Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance dad1887d-161b-7b61-2e4d-5124a7b5724e Measure the time between flaw identification and flaw remediation CMA_C1674 - Measure the time between flaw identification and flaw remediation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 44b71aa8-099d-8b97-1557-0e853ec38e0d Obtain functional properties of security controls CMA_C1575 - Obtain functional properties of security controls Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 623b5f0a-8cbd-03a6-4892-201d27302f0c Define information system account types CMA_0121 - Define information system account types Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d7c1ecc3-2980-a079-1569-91aec8ac4a77 Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance df2e9507-169b-4114-3a52-877561ee3198 Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b8972f60-8d77-1cb8-686f-9c9f4cdd8a59 Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4a6f5cbd-6c6b-006f-2bb1-091af1441bce Review malware detections report weekly CMA_0475 - Review malware detections report weekly Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 50e9324a-7410-0539-0662-2c1e775538b7 Authorize and manage access CMA_0023 - Authorize and manage access Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f7eb1d0b-6d4f-2d59-1591-7563e11a9313 Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance dd2523d5-2db3-642b-a1cf-83ac973b32c2 Establish benchmarks for flaw remediation CMA_C1675 - Establish benchmarks for flaw remediation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 29363ae1-68cd-01ca-799d-92c9197c8404 Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9b8b05ec-3d21-215e-5d98-0f7cf0998202 Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 55a7f9a0-6397-7589-05ef-5ed59a8149e7 Control physical access CMA_0081 - Control physical access Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 56fb5173-3865-5a5d-5fad-ae33e53e1577 Address information security issues CMA_C1742 - Address information security issues Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 496b407d-9b9e-81e8-4ba4-44bc686b016a Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0065241c-72e9-3b2c-556f-75de66332a94 Establish parameters for searching secret authenticators and verifiers CMA_0274 - Establish parameters for searching secret authenticators and verifiers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2c6bee3a-2180-2430-440d-db3c7a849870 Document security operations CMA_0202 - Document security operations Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0461cacd-0b3b-4f66-11c5-81c9b19a3d22 Verify inaccurate or outdated PII CMA_C1823 - Verify inaccurate or outdated PII Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6a379d74-903b-244a-4c44-838728bea6b0 Analyse data obtained from continuous monitoring CMA_C1169 - Analyse data obtained from continuous monitoring Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7a0ecd94-3699-5273-76a5-edb8499f655a Determine assertion requirements CMA_0136 - Determine assertion requirements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e336d5f4-4d8f-0059-759c-ae10f63d1747 Enforce user uniqueness CMA_0250 - Enforce user uniqueness Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 13efd2d7-3980-a2a4-39d0-527180c009e8 Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance aa892c0d-2c40-200c-0dd8-eac8c4748ede Employ automatic emergency lighting CMA_0209 - Employ automatic emergency lighting Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 178c8b7e-1b6e-4289-44dd-2f1526b678a1 Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Security Center 6074e9a3-c711-4856-976d-24d51f9e065b [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (6.0.0-preview > 7.0.0-preview) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance db28735f-518f-870e-15b4-49623cbe3aa0 Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 10c4210b-3ec9-9603-050d-77e4d26c7ebb Enforce logical access CMA_0245 - Enforce logical access Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0f4fa857-079d-9d3d-5c49-21f616189e03 Provide real-time alerts for audit event failures CMA_C1114 - Provide real-time alerts for audit event failures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7a114735-a420-057d-a651-9a73cd0416ef Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 35de8462-03ff-45b3-5746-9d4603c74c56 Implement an insider threat program CMA_C1751 - Implement an insider threat program Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 34aac8b2-488a-2b96-7280-5b9b481a317a Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ed87d27a-9abf-7c71-714c-61d881889da4 Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance af38215f-70c4-0cd6-40c2-c52d86690a45 Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c246d146-82b0-301f-32e7-1065dcd248b7 Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 21633c09-804e-7fcd-78e3-635c6bfe2be7 Provide capability to process customer-controlled audit records CMA_C1126 - Provide capability to process customer-controlled audit records Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 575ed5e8-4c29-99d0-0e4d-689fb1d29827 Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8019d788-713d-90a1-5570-dac5052f517d Train staff on PII sharing and its consequences CMA_C1871 - Train staff on PII sharing and its consequences Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 63f63e71-6c3f-9add-4c43-64de23e554a7 Manage gateways CMA_0363 - Manage gateways Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 055da733-55c6-9e10-8194-c40731057ec4 Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e4b00788-7e1c-33ec-0418-d048508e095b Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7a489c62-242c-5db9-74df-c073056d6fa3 Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c6fe3856-4635-36b6-983c-070da12a953b Implement the risk management strategy CMA_C1744 - Implement the risk management strategy Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 70a7a065-a060-85f8-7863-eb7850ed2af9 Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f96d2186-79df-262d-3f76-f371e3b71798 Review user privileges CMA_C1039 - Review user privileges Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f26af0b1-65b6-689a-a03f-352ad2d00f98 Audit privileged functions CMA_0019 - Audit privileged functions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 333b4ada-4a02-0648-3d4d-d812974f1bb2 Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3eecf628-a1c8-1b48-1b5c-7ca781e97970 Specify permitted actions associated with customer audit information CMA_C1122 - Specify permitted actions associated with customer audit information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 59f7feff-02aa-6539-2cf7-bea75b762140 Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e750ca06-1824-464a-2cf3-d0fa754d1cb4 Establish a secure software development program CMA_0259 - Establish a secure software development program Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 83eea3d3-0d2c-9ccd-1021-2111b29b2a62 Ensure system capable of dynamic isolation of resources CMA_C1638 - Ensure system capable of dynamic isolation of resources Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1a2a03a4-9992-5788-5953-d8f6615306de Govern policies and procedures CMA_0292 - Govern policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 341bc9f1-7489-07d9-4ec6-971573e1546a Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2927e340-60e4-43ad-6b5f-7a1468232cc2 Configure detection whitelist CMA_0068 - Configure detection whitelist Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c423e64d-995c-9f67-0403-b540f65ba42a Assess Security Controls CMA_C1145 - Assess Security Controls Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f801d58e-5659-9a4a-6e8d-02c9334732e5 Restore resources to operational state CMA_C1297 - Restore resources to operational state Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 12af7c7a-92af-9e96-0d0c-5e732d1a3751 Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Monitoring d4b065e2-fbda-4461-a42c-b0346aeb12a0 The legacy Log Analytics extension should not be installed on Linux virtual machines Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machines. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
 new Policy 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 25a1f840-65d0-900a-43e4-bee253de04de Define requirements for managing assets CMA_0125 - Define requirements for managing assets Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c42f19c9-5d88-92da-0742-371a0ea03126 Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9c276cf3-596f-581a-7fbd-f5e46edaa0f4 Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6abdf7c7-362b-3f35-099e-533ed50988f9 Assign information security representative to change control CMA_C1198 - Assign information security representative to change control Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8 Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a315c657-4a00-8eba-15ac-44692ad24423 Protect special information CMA_0409 - Protect special information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4e400494-53a5-5147-6f4d-718b539c7394 Manage compliance activities CMA_0358 - Manage compliance activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f2222056-062d-1060-6dc2-0107a68c34b2 Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance aa305b4d-8c84-1754-0c74-dec004e66be0 Develop contingency plan CMA_C1244 - Develop contingency plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 35963d41-4263-0ef9-98d5-70eb058f9e3c Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5226dee6-3420-711b-4709-8e675ebd828f Update information security policies CMA_0518 - Update information security policies Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a3e98638-51d4-4e28-910a-60e98c1a756f Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 79c75b38-334b-1a69-65e0-a9d929a42f75 Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 97f0d974-1486-01e2-2088-b888f46c0589 Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9b55929b-0101-47c0-a16e-d6ac5c7d21f8 Undergo independent security review CMA_0515 - Undergo independent security review Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 58a51cde-008b-1a5d-61b5-d95849770677 Test the business continuity and disaster recovery plan CMA_0509 - Test the business continuity and disaster recovery plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8eea8c14-4d93-63a3-0c82-000343ee5204 Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 53fc1282-0ee3-2764-1319-e20143bb0ea5 Review contingency plan CMA_C1247 - Review contingency plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1beb1269-62ee-32cd-21ad-43d6c9750eb6 Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 81b6267b-97a7-9aa5-51ee-d2584a160424 Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 979ed3b6-83f9-26bc-4b86-5b05464700bf Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 964b340a-43a4-4798-2af5-7aedf6cb001b Collect PII directly from the individual CMA_C1822 - Collect PII directly from the individual Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e23444b9-9662-40f3-289e-6d25c02b48fa Review label activity and analytics CMA_0474 - Review label activity and analytics Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 04b3e7f6-4841-888d-4799-cda19a0084f6 Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928 Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b5a4be05-3997-1731-3260-98be653610f6 Perform disposition review CMA_0391 - Perform disposition review Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 76d66b5c-85e4-93f5-96a5-ebb2fad61dc6 Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 11ba0508-58a8-44de-5f3a-9e05d80571da Develop business classification schemes CMA_0155 - Develop business classification schemes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68 Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 86ecd378-a3a0-5d5b-207c-05e6aaca43fc Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 08ad71d0-52be-6503-4908-e015460a16ae Require use of individual authenticators CMA_C1305 - Require use of individual authenticators Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance aa0ddd99-43eb-302d-3f8f-42b499182960 Install an alarm system CMA_0338 - Install an alarm system Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a8df9c78-4044-98be-2c05-31a315ac8957 Conform to FICAM-issued profiles CMA_C1350 - Conform to FICAM-issued profiles Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 171e377b-5224-4a97-1eaa-62a3b5231dac Generate internal security alerts CMA_C1704 - Generate internal security alerts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e603da3a-8af7-4f8a-94cb-1bcc0e0333d2 Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4c385143-09fd-3a34-790c-a5fd9ec77ddc Provide role-based security training CMA_C1094 - Provide role-based security training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 59bedbdc-0ba9-39b9-66bb-1d1c192384e6 Control information flow CMA_0079 - Control information flow Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 26d178a4-9261-6f04-a100-47ed85314c6e Implement security directives CMA_C1706 - Implement security directives Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4ee5975d-2507-5530-a20a-83a725889c6f Restrict unauthorized software and firmware installation CMA_C1205 - Restrict unauthorized software and firmware installation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Monitoring bd58d393-162c-4134-bcd6-a6a5484a37a1 The legacy Log Analytics extension should not be installed on Azure Arc enabled Linux servers Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Linux servers. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
 new Policy 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1c258345-5cd4-30c8-9ef3-5ee4dd5231d6 Develop security assessment plan CMA_C1144 - Develop security assessment plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c6b877a6-5d6d-1862-4b7f-3ccc30b25b63 Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1282809c-9001-176b-4a81-260a085f4872 Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0ba211ef-0e85-2a45-17fc-401d1b3f8f85 Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 29acfac0-4bb4-121b-8283-8943198b1549 Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7805a343-275c-41be-9d62-7215b96212d8 Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b65c5d8e-9043-9612-2c17-65f231d763bb Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4edaca8c-0912-1ac5-9eaa-6a1057740fae Provide capability to disconnect or disable remote access CMA_C1066 - Provide capability to disconnect or disable remote access Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f49925aa-9b11-76ae-10e2-6e973cc60f37 Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 97d91b33-7050-237b-3e23-a77d57d84e13 Issue public key certificates CMA_0347 - Issue public key certificates Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Cosmos DB 9d83ccb1-f313-46ce-9d39-a198bfdb51a0 Azure Cosmos DB accounts should not exceed the maximum number of days allowed since last account key regeneration. Regenerate your keys in the specified time to keep your data more protected. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 398fdbd8-56fd-274d-35c6-fa2d3b2755a1 Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a830fe9e-08c9-a4fb-420c-6f6bf1702395 Review account provisioning logs CMA_0460 - Review account provisioning logs Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Monitoring 1f6e93e8-6b31-41b1-83f6-36e449a42579 Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.1.0 > 2.0.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115 Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b6b32f80-a133-7600-301e-398d688e7e0c Evaluate and review PII holdings regularly CMA_C1832 - Evaluate and review PII holdings regularly Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 03b6427e-6072-4226-4bd9-a410ab65317e Design an access control model CMA_0129 - Design an access control model Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2b4e134f-1e4c-2bff-573e-082d85479b6e Develop an incident response plan CMA_0145 - Develop an incident response plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 834b7a4a-83ab-2188-1a26-9c5033d8173b Incorporate security and data privacy practices in research processing CMA_0331 - Incorporate security and data privacy practices in research processing Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 03d550b4-34ee-03f4-515f-f2e2faf7a413 Review access control policies and procedures CMA_0457 - Review access control policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 44f8a42d-739f-8030-89a8-4c2d5b3f6af3 Provide audit review, analysis, and reporting capability CMA_C1124 - Provide audit review, analysis, and reporting capability Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c2cb4658-44dc-9d11-3dad-7c6802dd5ba3 Generate error messages CMA_C1724 - Generate error messages Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d4e6a629-28eb-79a9-000b-88030e4823ca Coordinate with external organizations to achieve cross org perspective CMA_C1368 - Coordinate with external organizations to achieve cross org perspective Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance edcc36f1-511b-81e0-7125-abee29752fe7 Manage availability and capacity CMA_0356 - Manage availability and capacity Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f6794ab8-9a7d-3b24-76ab-265d3646232b Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 14a4fd0a-9100-1e12-1362-792014a28155 Update contingency plan CMA_C1248 - Update contingency plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 725164e5-3b21-1ec2-7e42-14f077862841 Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b8a9bb2f-7290-3259-85ce-dca7d521302d Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 84a01872-5318-049e-061e-d56734183e84 Distribute information system documentation CMA_C1584 - Distribute information system documentation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f3c17714-8ce7-357f-4af2-a0baa63a063f Make SORNs available publicly CMA_C1865 - Make SORNs available publicly Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 426c172c-9914-10d1-25dd-669641fc1af4 Enable detection of network devices CMA_0220 - Enable detection of network devices Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e7589f4e-1e8b-72c2-3692-1e14d7f3699f Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3c93dba1-84fd-57de-33c7-ef0400a08134 Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance fad161f5-5261-401a-22dd-e037bae011bd Review threat protection status weekly CMA_0479 - Review threat protection status weekly Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6b957f60-54cd-5752-44d5-ff5a64366c93 Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1e0d5ba8-a433-01aa-829c-86b06c9631ec Include dynamic reconfig of customer deployed resources CMA_C1364 - Include dynamic reconfig of customer deployed resources Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ff1efad2-6b09-54cc-01bf-d386c4d558a8 Secure the interface to external systems CMA_0491 - Secure the interface to external systems Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3a868d0c-538f-968b-0191-bddb44da5b75 Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7d70383a-32f4-a0c2-61cf-a134851968c2 Determine legal authority to collect PII CMA_C1800 - Determine legal authority to collect PII Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5fc24b95-53f7-0ed1-2330-701b539b97fe Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 13ef3484-3a51-785a-9c96-500f21f84edd Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c7d57a6a-7cc2-66c0-299f-83bf90558f5d Enforce random unique session identifiers CMA_0247 - Enforce random unique session identifiers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8cd815bf-97e1-5144-0735-11f6ddb50a59 Enforce and audit access restrictions CMA_C1203 - Enforce and audit access restrictions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 037c0089-6606-2dab-49ad-437005b5035f Identify incident response personnel CMA_0301 - Identify incident response personnel Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance eb1c944e-0e94-647b-9b7e-fdb8d2af0838 Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5bac5fb7-7735-357b-767d-02264bfe5c3b Perform all non-local maintenance CMA_C1417 - Perform all non-local maintenance Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 015b4935-448a-8684-27c0-d13086356c33 Implement a threat awareness program CMA_C1758 - Implement a threat awareness program Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6bededc0-2985-54d5-4158-eb8bad8070a0 Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance cdcb825f-a0fb-31f9-29c1-ab566718499a Publish Computer Matching Agreements on public website CMA_C1829 - Publish Computer Matching Agreements on public website Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9 Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0bbfd658-93ab-6f5e-1e19-3c1c1da62d01 Keep accurate accounting of disclosures of information CMA_C1818 - Keep accurate accounting of disclosures of information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ee67c031-57fc-53d0-0cca-96c4c04345e8 Document and distribute a privacy policy CMA_0188 - Document and distribute a privacy policy Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a28323fe-276d-3787-32d2-cef6395764c4 Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7d10debd-4775-85a7-1a41-7e128e0e8c50 Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 37dbe3dc-0e9c-24fa-36f2-11197cbfa207 Ensure authorized users protect provided authenticators CMA_C1339 - Ensure authorized users protect provided authenticators Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 20012034-96f0-85c2-4a86-1ae1eb457802 Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8e49107c-3338-40d1-02aa-d524178a2afe Deliver security assessment results CMA_C1147 - Deliver security assessment results Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9ac8621d-9acd-55bf-9f99-ee4212cc3d85 Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3d492600-27ba-62cc-a1c3-66eb919f6a0d Document remote access guidelines CMA_0196 - Document remote access guidelines Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8b1f29eb-1b22-4217-5337-9207cb55231e Perform information input validation CMA_C1723 - Perform information input validation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2af4640d-11a6-a64b-5ceb-a468f4341c0c Define and enforce inactivity log policy CMA_C1017 - Define and enforce inactivity log policy Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance eaaae23f-92c9-4460-51cf-913feaea4d52 Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance eb598832-4bcc-658d-4381-3ecbe17b9866 Provide timely maintenance support CMA_C1425 - Provide timely maintenance support Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d9af7f88-686a-5a8b-704b-eafdab278977 Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c0559109-6a27-a217-6821-5a6d44f92897 Maintain integrity of audit system CMA_C1133 - Maintain integrity of audit system Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3d399cf3-8fc6-0efc-6ab0-1412f1198517 Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b53aa659-513e-032c-52e6-1ce0ba46582f Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 09960521-759e-5d12-086f-4192a72a5e92 Protect administrator and user documentation CMA_C1583 - Protect administrator and user documentation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 34738025-5925-51f9-1081-f2d0060133ed Information security and personal data protection CMA_0332 - Information security and personal data protection Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a1334a65-2622-28ee-5067-9d7f5b915cc5 Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d041726f-00e0-41ca-368c-b1a122066482 Provide role-based practical exercises CMA_C1096 - Provide role-based practical exercises Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0123edae-3567-a05a-9b05-b53ebe9d3e7e View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 69d90ee6-9f9f-262a-2038-d909fb4e5723 Identify spilled information CMA_0303 - Identify spilled information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 043c1e56-5a16-52f8-6af8-583098ff3e60 Create a data inventory CMA_0096 - Create a data inventory Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 873895e8-0e3a-6492-42e9-22cd030e9fcd Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance eab4450d-9e5c-4f38-0656-2ff8c78c83f3 Document and implement privacy complaint procedures CMA_0189 - Document and implement privacy complaint procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 245fe58b-96f8-9f1e-48c5-7f49903f66fd Establish alternate storage site that facilitates recovery operations CMA_C1270 - Establish alternate storage site that facilitates recovery operations Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 50e81644-923d-33fc-6ebb-9733bc8d1a06 Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3ad7f0bc-3d03-0585-4d24-529779bb02c2 Maintain availability of information CMA_C1644 - Maintain availability of information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 203101f5-99a3-1491-1b56-acccd9b66a9e Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 32f22cfa-770b-057c-965b-450898425519 Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3baee3fd-30f5-882c-018c-cc78703a0106 Employ independent assessors for continuous monitoring CMA_C1168 - Employ independent assessors for continuous monitoring Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3c9aa856-6b86-35dc-83f4-bc72cec74dea Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a930f477-9dcb-2113-8aa7-45bb6fc90861 Review and update the events defined in AU-02 CMA_C1106 - Review and update the events defined in AU-02 Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 92b94485-1c49-3350-9ada-dffe94f08e87 Obtain approvals for acquisitions and outsourcing CMA_C1590 - Obtain approvals for acquisitions and outsourcing Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c3b3cc61-9c70-5d78-7f12-1aefcc477db7 Review security testing, training, and monitoring plans CMA_C1754 - Review security testing, training, and monitoring plans Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ca748dfe-3e28-1d18-4221-89aea30aa0a5 Identify status of individual users CMA_C1316 - Identify status of individual users Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d8bbd80e-3bb1-5983-06c2-428526ec6a63 Establish a password policy CMA_0256 - Establish a password policy Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance af5ff768-a34b-720e-1224-e6b3214f3ba6 Establish an alternate processing site CMA_0262 - Establish an alternate processing site Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7b28ba4f-0a87-46ac-62e1-46b7c09202a8 Monitor account activity CMA_0377 - Monitor account activity Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5715bf33-a5bd-1084-4e19-bc3c83ec1c35 Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 77cc89bb-774f-48d7-8a84-fb8c322c3000 Track software license usage CMA_C1235 - Track software license usage Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e9c60c37-65b0-2d72-6c3c-af66036203ae Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 46ab2c5e-6654-1f58-8c83-e97a44f39308 Identify external service providers CMA_C1591 - Identify external service providers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 07b42fb5-027e-5a3c-4915-9d9ef3020ec7 Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f Employ restrictions on external system interconnections CMA_C1155 - Employ restrictions on external system interconnections Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6228396e-2ace-7ca5-3247-45767dbf52f4 Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0040d2e5-2779-170d-6a2c-1f5fca353335 Restrict location of information processing, storage and services CMA_C1593 - Restrict location of information processing, storage and services Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e1379836-3492-6395-451d-2f5062e14136 Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba Review file and folder activity CMA_0473 - Review file and folder activity Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 57adc919-9dca-817c-8197-64d812070316 Develop an enterprise architecture CMA_C1741 - Develop an enterprise architecture Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6122970b-8d4a-7811-0278-4c6c68f61e4f Restrict media use CMA_0450 - Restrict media use Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 33d34fac-56a8-1c0f-0636-3ed94892a709 Govern the allocation of resources CMA_0293 - Govern the allocation of resources Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5decc032-95bd-2163-9549-a41aba83228e Implement formal sanctions process CMA_0317 - Implement formal sanctions process Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1ff03f2a-974b-3272-34f2-f6cd51420b30 Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 396f465d-375e-57de-58ba-021adb008191 Invalidate session identifiers at logout CMA_C1661 - Invalidate session identifiers at logout Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5c40f27b-6791-18c5-3f85-7b863bd99c11 Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 22a02c9a-49e4-5dc9-0d14-eb35ad717154 Obtain design and implementation information for the security controls CMA_C1576 - Obtain design and implementation information for the security controls Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c79d378a-2521-822a-0407-57454f8d2c74 Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d18af1ac-0086-4762-6dc8-87cdded90e39 Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b4409bff-2287-8407-05fd-c73175a68302 Enforce a limit of consecutive failed login attempts CMA_C1044 - Enforce a limit of consecutive failed login attempts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 433de59e-7a53-a766-02c2-f80f8421469a Implement incident handling CMA_0318 - Implement incident handling Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2f204e72-1896-3bf8-75c9-9128b8683a36 Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3054c74b-9b45-2581-56cf-053a1a716c39 Accept assessment results CMA_C1150 - Accept assessment results Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8c5d3d8d-5cba-0def-257c-5ab9ea9644dc Perform a risk assessment CMA_0388 - Perform a risk assessment Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 06f84330-4c27-21f7-72cd-7488afd50244 Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e89436d8-6a93-3b62-4444-1d2a42ad56b2 Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1d39b5d9-0392-8954-8359-575ce1957d1a Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 22c16ae4-19d0-29cb-422f-cb44061180ee Disable user accounts posing a significant risk CMA_C1026 - Disable user accounts posing a significant risk Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 57927290-8000-59bf-3776-90c468ac5b4b Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d93fe1be-13e4-421d-9c21-3158e2fa2667 Implement plans of action and milestones for security program process CMA_C1737 - Implement plans of action and milestones for security program process Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 49c23d9b-02b0-0e42-4f94-e8cef1b8381b Audit user account status CMA_0020 - Audit user account status Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 60ee1260-97f0-61bb-8155-5d8b75743655 Separate duties of individuals CMA_0492 - Separate duties of individuals Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a4493012-908c-5f48-a468-1e243be884ce Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3af53f59-979f-24a8-540f-d7cdbc366607 Require users to sign access agreement CMA_0440 - Require users to sign access agreement Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4c6df5ff-4ef2-4f17-a516-0da9189c603b Assign account managers CMA_0015 - Assign account managers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c7e8ddc1-14aa-1814-7fe1-aad1742b27da Enforce expiration of cached authenticators CMA_C1343 - Enforce expiration of cached authenticators Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ba02d0a0-566a-25dc-73f1-101c726a19c5 Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b9d45adb-471b-56a5-64d2-5b241f126174 Automate privacy controls CMA_C1817 - Automate privacy controls Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3ae68d9a-5696-8c32-62d3-c6f9c52e437c Refresh authenticators CMA_0425 - Refresh authenticators Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65 Update antivirus definitions CMA_0517 - Update antivirus definitions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4ac81669-00e2-9790-8648-71bc11bc91eb Manage the transportation of assets CMA_0370 - Manage the transportation of assets Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e435f7e3-0dd9-58c9-451f-9b44b96c0232 Implement controls to secure all media CMA_0314 - Implement controls to secure all media Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 74041cfe-3f87-1d17-79ec-34ca5f895542 Produce complete records of remote maintenance activities CMA_C1403 - Produce complete records of remote maintenance activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f8a63511-66f1-503f-196d-d6217ee0823a Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f6da5cca-5795-60ff-49e1-4972567815fe Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 01c387ea-383d-4ca9-295a-977fab516b03 Authorize remote access to privileged commands CMA_C1064 - Authorize remote access to privileged commands Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8aec4343-9153-9641-172c-defb201f56b3 Review cloud identity report overview CMA_0468 - Review cloud identity report overview Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 93fa357f-2e38-22a9-5138-8cc5124e1923 Categorize information CMA_0052 - Categorize information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance be38a620-000b-21cf-3cb3-ea151b704c3b Remediate information system flaws CMA_0427 - Remediate information system flaws Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2c843d78-8f64-92b5-6a9b-e8186c0e7eb6 Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8c255136-994b-9616-79f5-ae87810e0dcf Enable network protection CMA_0238 - Enable network protection Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1ee4c7eb-480a-0007-77ff-4ba370776266 Use system clocks for audit records CMA_0535 - Use system clocks for audit records Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b33d61c1-7463-7025-0ec0-a47585b59147 Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4b8fd5da-609b-33bf-9724-1c946285a14c Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 90a156a6-49ed-18d1-1052-69aac27c05cd Allocate resources in determining information system requirements CMA_C1561 - Allocate resources in determining information system requirements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d200f199-69f4-95a6-90b0-37ff0cf1040c Provide the capability to extend or limit auditing on customer-deployed resources CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5e4e9685-3818-5934-0071-2620c4fa2ca5 Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6ab47bbf-867e-9113-7998-89b58f77326a Respond to complaints, concerns, or questions timely CMA_C1853 - Respond to complaints, concerns, or questions timely Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1bc7fd64-291f-028e-4ed6-6e07886e163f Employ least privilege access CMA_0212 - Employ least privilege access Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a90c4d44-7fac-8e02-6d5b-0d92046b20e6 Automate flaw remediation CMA_0027 - Automate flaw remediation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Security Center c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7ded6497-815d-6506-242b-e043e0273928 Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b470a37a-7a47-3792-34dd-7a793140702e Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 524e7136-9f6a-75ba-9089-501018151346 Document security and privacy training activities CMA_0198 - Document security and privacy training activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3e37c891-840c-3eb4-78d2-e2e0bb5063e0 Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 33602e78-35e3-4f06-17fb-13dd887448e4 Conduct capacity planning CMA_C1252 - Conduct capacity planning Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 54a9c072-4a93-2a03-6a43-a060d30383d7 Eradicate contaminated information CMA_0253 - Eradicate contaminated information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6625638f-3ba1-7404-5983-0ea33d719d34 Review audit data CMA_0466 - Review audit data Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8f835d6a-4d13-9a9c-37dc-176cebd37fda Document wireless access security controls CMA_C1695 - Document wireless access security controls Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 05ec66a2-137c-14b8-8e75-3d7a2bef07f8 Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ffea18d9-13de-6505-37f3-4c1f88070ad7 Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b1666a13-8f67-9c47-155e-69e027ff6823 Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2401b496-7f23-79b2-9f80-89bb5abf3d4a Protect incident response plan CMA_0405 - Protect incident response plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 18e7906d-4197-20fa-2f14-aaac21864e71 Document process to ensure integrity of PII CMA_C1827 - Document process to ensure integrity of PII Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 55be3260-a7a2-3c06-7fe6-072d07525ab7 Accept PIV credentials CMA_C1347 - Accept PIV credentials Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 85335602-93f5-7730-830b-d43426fd51fa Integrate Audit record analysis CMA_C1120 - Integrate Audit record analysis Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e4054c0e-1184-09e6-4c5e-701e0bc90f81 Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08 Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 10c3a1b1-29b0-a2d5-8f4c-a284b0f07830 Implement cryptographic mechanisms CMA_C1419 - Implement cryptographic mechanisms Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance df54d34f-65f3-39f1-103c-a0464b8615df Manage transfers between standby and active system components CMA_0371 - Manage transfers between standby and active system components Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance afbecd30-37ee-a27b-8e09-6ac49951a0ee Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 056a723b-4946-9d2a-5243-3aa27c4d31a1 Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 836f8406-3b8a-11bb-12cb-6c7fa0765668 Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9 Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ced727b3-005e-3c5b-5cd5-230b79d56ee8 Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 18e9d748-73d4-0c96-55ab-b108bfbd5bc3 Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d4f70530-19a2-2a85-6e0c-0c3c465e3325 Make accounting of disclosures available upon request CMA_C1820 - Make accounting of disclosures available upon request Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b0e3035d-6366-2e37-796e-8bcab9c649e6 Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2f20840e-7925-221c-725d-757442753e7c Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 10874318-0bf7-a41f-8463-03e395482080 Correlate audit records CMA_0087 - Correlate audit records Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0f31d98d-5ce2-705b-4aa5-b4f6705110dd Prepare alternate processing site for use as operational site CMA_C1278 - Prepare alternate processing site for use as operational site Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f78fc35e-1268-0bca-a798-afcba9d2330a Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 98145a9b-428a-7e81-9d14-ebb154a24f93 View and investigate restricted users CMA_0545 - View and investigate restricted users Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 678ca228-042d-6d8e-a598-c58d5670437d Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e7422f08-65b4-50e4-3779-d793156e0079 Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance de770ba6-50dd-a316-2932-e0d972eaa734 Require approval for account creation CMA_0431 - Require approval for account creation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 21832235-7a07-61f4-530d-d596f76e5b95 Implement security testing, training, and monitoring plans CMA_C1753 - Implement security testing, training, and monitoring plans Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c72fc0c8-2df8-7506-30be-6ba1971747e1 Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d78f95ba-870a-a500-6104-8a5ce2534f19 Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance bd6cbcba-4a2d-507c-53e3-296b5c238a8e Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 22457e81-3ec6-5271-a786-c3ca284601dd Isolate information spills CMA_0346 - Isolate information spills Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6baae474-434f-2e91-7163-a72df30c4847 Manage security state of information systems CMA_C1746 - Manage security state of information systems Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 449ebb52-945b-36e5-3446-af6f33770f8f Update the security authorization CMA_C1160 - Update the security authorization Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 83dfb2b8-678b-20a0-4c44-5c75ada023e6 Document mobility training CMA_0191 - Document mobility training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ba99d512-3baa-1c38-8b0b-ae16bbd34274 Test contingency plan at an alternate processing location CMA_C1265 - Test contingency plan at an alternate processing location Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1cb7bf71-841c-4741-438a-67c65fdd7194 Provide security training for new users CMA_0419 - Provide security training for new users Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 464a7d7a-2358-4869-0b49-6d582ca21292 Ensure capital planning and investment requests include necessary resources CMA_C1734 - Ensure capital planning and investment requests include necessary resources Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 91cf132e-0c9f-37a8-a523-dc6a92cd2fb2 Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 26daf649-22d1-97e9-2a8a-01b182194d59 Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 42116f15-5665-a52a-87bb-b40e64c74b6c Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5b802722-71dd-a13d-2e7e-231e09589efb Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 585af6e9-90c0-4575-67a7-2f9548972e32 Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10 Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5020f3f4-a579-2f28-72a8-283c5a0b15f9 Restrict communications CMA_0449 - Restrict communications Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance cb8841d4-9d13-7292-1d06-ba4d68384681 Perform a business impact assessment and application criticality assessment CMA_0386 - Perform a business impact assessment and application criticality assessment Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 67ada943-8539-083d-35d0-7af648974125 Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a465e8e9-0095-85cb-a05f-1dd4960d02af Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 085467a6-9679-5c65-584a-f55acefd0d43 Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6de65dc4-8b4f-34b7-9290-eb137a2e2929 Develop and document application security requirements CMA_0148 - Develop and document application security requirements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e29a8f1b-149b-2fa3-969d-ebee1baa9472 Assign an authorizing official (AO) CMA_C1158 - Assign an authorizing official (AO) Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2d14ff7e-6ff9-838c-0cde-4962ccdb1689 Employ business case to record the resources required CMA_C1735 - Employ business case to record the resources required Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51 Publish access procedures in SORNs CMA_C1848 - Publish access procedures in SORNs Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c6aeb800-0b19-944d-92dc-59b893722329 Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 214ea241-010d-8926-44cc-b90a96d52adc Compile Audit records into system wide audit CMA_C1140 - Compile Audit records into system wide audit Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 70fe686f-1f91-7dab-11bf-bca4201e183b Review role group changes weekly CMA_0476 - Review role group changes weekly Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8747b573-8294-86a0-8914-49e9b06a5ace Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 23d1a569-2d1e-7f43-9e22-1f94115b7dd5 Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 318b2bd9-9c39-9f8b-46a7-048401f33476 Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6610f662-37e9-2f71-65be-502bdc2f554d Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4781e5fd-76b8-7d34-6df3-a0a7fca47665 Prevent identifier reuse for the defined time period CMA_C1314 - Prevent identifier reuse for the defined time period Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 06af77de-02ca-0f3e-838a-a9420fe466f5 Establish a discrete line item in budgeting documentation CMA_C1563 - Establish a discrete line item in budgeting documentation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9622aaa9-5c49-40e2-5bf8-660b7cd23deb Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 291f20d4-8d93-1d73-89f3-6ce28b825563 Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8d140e8b-76c7-77de-1d46-ed1b2e112444 Restrict access to private keys CMA_0445 - Restrict access to private keys Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ab02bb73-4ce1-89dd-3905-d93042809ba0 Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2067b904-9552-3259-0cdd-84468e284b7c Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 27ab3ac0-910d-724d-0afa-1a2a01e996c0 Respond to rectification requests CMA_0442 - Respond to rectification requests Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ca6d7878-3189-1833-4620-6c7254ed1607 Obtain continuous monitoring plan for security controls CMA_C1577 - Obtain continuous monitoring plan for security controls Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 27965e62-141f-8cca-426f-d09514ee5216 Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f48b60c6-4b37-332f-7288-b6ea50d300eb Review controlled folder access events CMA_0471 - Review controlled folder access events Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 75b42dcf-7840-1271-260b-852273d7906e Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2d4d0e90-32d9-4deb-2166-a00d51ed57c0 Provide information spillage training CMA_0413 - Provide information spillage training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3f1216b0-30ee-1ac9-3899-63eb744e85f5 Obtain Admin documentation CMA_C1580 - Obtain Admin documentation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 423f6d9c-0c73-9cc6-64f4-b52242490368 Develop security safeguards CMA_0161 - Develop security safeguards Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0e696f5a-451f-5c15-5532-044136538491 Protect audit information CMA_0401 - Protect audit information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9c954fcf-6dd8-81f1-41b5-832ae5c62caf Incorporate simulated contingency training CMA_C1260 - Incorporate simulated contingency training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0716f0f5-4955-2ccb-8d5e-c6be14d57c0f Ensure resources are authorized CMA_C1159 - Ensure resources are authorized Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 36b74844-4a99-4c80-1800-b18a516d1585 Control use of portable storage devices CMA_0083 - Control use of portable storage devices Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d136ae80-54dd-321c-98b4-17acf4af2169 Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ffdaa742-0d6f-726f-3eac-6e6c34e36c93 Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance de077e7e-0cc8-65a6-6e08-9ab46c827b05 Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0803eaa7-671c-08a7-52fd-ac419f775e75 Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 75b9db50-7906-2351-98ae-0458218609e5 Retain accounting of disclosures of information CMA_C1819 - Retain accounting of disclosures of information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 80a97208-264e-79da-0cc7-4fca179a0c9c Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b5244f81-6cab-3188-2412-179162294996 Review publicly accessible content for nonpublic information CMA_C1086 - Review publicly accessible content for nonpublic information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5269d7e4-3768-501d-7e46-66c56c15622c Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance dc7ec756-221c-33c8-0afe-c48e10e42321 Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ebb0ba89-6d8c-84a7-252b-7393881e43de Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 37b0045b-3887-367b-8b4d-b9a6fa911bb9 Assess information security events CMA_0013 - Assess information security events Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a30bd8e9-7064-312a-0e1f-e1b485d59f6e Review exploit protection events CMA_0472 - Review exploit protection events Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 92b49e92-570f-1765-804a-378e6c592e28 Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7fc1f0da-0050-19bb-3d75-81ae15940df6 Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c5784049-959f-6067-420c-f4cefae93076 Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a08b18c7-9e0a-89f1-3696-d80902196719 Document access privileges CMA_0186 - Document access privileges Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 34d38ea7-6754-1838-7031-d7fd07099821 Manage system and admin accounts CMA_0368 - Manage system and admin accounts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 098dcde7-016a-06c3-0985-0daaf3301d3a Distribute authenticators CMA_0184 - Distribute authenticators Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 27ce30dd-3d56-8b54-6144-e26d9a37a541 Ensure audit records are not altered CMA_C1125 - Ensure audit records are not altered Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 477bd136-7dd9-55f8-48ac-bae096b86a07 Develop POA&M CMA_C1156 - Develop POA&M Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 33832848-42ab-63f3-1a55-c0ad309d44cd Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Security Center 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8489ff90-8d29-61df-2d84-f9ab0f4c5e84 Notify when account is not needed CMA_0383 - Notify when account is not needed Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance af227964-5b8b-22a2-9364-06d2cb9d6d7c Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7c7032fe-9ce6-9092-5890-87a1a3755db1 Retain terminated user data CMA_0455 - Retain terminated user data Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Security Center 97566dd7-78ae-4997-8b36-1c7bfe0d8121 [Preview]: Secure Boot should be enabled on supported Windows virtual machines Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. Default
Audit
Allowed
Audit, Disabled
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b320aa42-33b4-53af-87ce-100091d48918 Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1fb1cb0e-1936-6f32-42fd-89970b535855 Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0a24f5dc-8c40-94a7-7aee-bb7cd4781d37 Issue guidelines for ensuring data quality and integrity CMA_C1824 - Issue guidelines for ensuring data quality and integrity Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 79f081c7-1634-01a1-708e-376197999289 Review user accounts CMA_0480 - Review user accounts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 01ae60e2-38bb-0a32-7b20-d3a091423409 Implement system boundary protection CMA_0328 - Implement system boundary protection Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7bdb79ea-16b8-453e-4ca4-ad5b16012414 Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b7306e73-0494-83a2-31f5-280e934a8f70 Develop and document a DDoS response plan CMA_0147 - Develop and document a DDoS response plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8bb40df9-23e4-4175-5db3-8dba86349b73 Confirm quality and integrity of PII CMA_C1821 - Confirm quality and integrity of PII Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b544f797-a73b-1be3-6d01-6b1a085376bc Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c981fa70-2e58-8141-1457-e7f62ebc2ade Document organizational access agreements CMA_0192 - Document organizational access agreements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f33c3238-11d2-508c-877c-4262ec1132e1 Recover and reconstitute resources after any disruption CMA_C1295 - Recover and reconstitute resources after any disruption Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8bfdbaa6-6824-3fec-9b06-7961bf7389a6 Initiate contingency plan testing corrective actions CMA_C1263 - Initiate contingency plan testing corrective actions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance de936662-13dc-204c-75ec-1af80f994088 Provide contingency training CMA_0412 - Provide contingency training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 62fa14f0-4cbe-762d-5469-0899a99b98aa Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b4e19d22-8c0e-7cad-3219-c84c62dc250f Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2af551d5-1775-326a-0589-590bfb7e9eb2 Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 00f12b6f-10d7-8117-9577-0f2b76488385 Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance aeed863a-0f56-429f-945d-8bb66bd06841 Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance bab9ef1d-a16d-421a-822d-3fa94e808156 Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2f67e567-03db-9d1f-67dc-b6ffb91312f4 Determine auditable events CMA_0137 - Determine auditable events Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b269a749-705e-8bff-055a-147744675cdf Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6f1de470-79f3-1572-866e-db0771352fc8 Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a44c9fba-43f8-4b7b-7ee6-db52c96b4366 Facilitate information sharing CMA_0284 - Facilitate information sharing Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 70057208-70cc-7b31-3c3a-121af6bc1966 Secure commitment from leadership CMA_0489 - Secure commitment from leadership Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 39999038-9ef1-602a-158c-ce2367185230 Define performance metrics CMA_0124 - Define performance metrics Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e21f91d1-2803-0282-5f2d-26ebc4b170ef Update organizational access agreements CMA_0520 - Update organizational access agreements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3545c827-26ee-282d-4629-23952a12008b Conduct incident response testing CMA_0060 - Conduct incident response testing Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Security Center 1cb4d9c2-f88f-4069-bee0-dba239a57b09 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5c33538e-02f8-0a7f-998b-a4c1e22076d3 Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d42a8f69-a193-6cbc-48b9-04a9e29961f1 Protect wireless access CMA_0411 - Protect wireless access Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 518eafdd-08e5-37a9-795b-15a8d798056d Provide privacy training CMA_0415 - Provide privacy training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8b1da407-5e60-5037-612e-2caa1b590719 Record disclosures of PII to third parties CMA_0422 - Record disclosures of PII to third parties Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0a412110-3874-9f22-187a-c7a81c8a6704 Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f8d141b7-4e21-62a6-6608-c79336e36bc9 Establish privacy requirements for contractors and service providers CMA_C1810 - Establish privacy requirements for contractors and service providers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 98e33927-8d7f-6d5f-44f5-2469b40b7215 Implement Incident handling capability CMA_C1367 - Implement Incident handling capability Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 20762f1e-85fb-31b0-a600-e833633f10fe Reveal error messages CMA_C1725 - Reveal error messages Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d48a6f19-a284-6fc6-0623-3367a74d3f50 Update interconnection security agreements CMA_0519 - Update interconnection security agreements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 279052a0-8238-694d-9661-bf649f951747 Identify contaminated systems and components CMA_0300 - Identify contaminated systems and components Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4f23967c-a74b-9a09-9dc2-f566f61a87b9 Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance a8f9c283-9a66-3eb3-9e10-bdba95b85884 Run simulation attacks CMA_0486 - Run simulation attacks Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance cf79f602-1e60-5423-6c0c-e632c2ea1fc0 Implement controls to protect PII CMA_C1839 - Implement controls to protect PII Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 069101ac-4578-31da-0cd4-ff083edd3eb4 Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c2eabc28-1e5c-78a2-a712-7cc176c44c07 Implement a penetration testing methodology CMA_0306 - Implement a penetration testing methodology Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8b333332-6efd-7c0d-5a9f-d1eb95105214 Employ FIPS 201-approved technology for PIV CMA_C1579 - Employ FIPS 201-approved technology for PIV Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ba78efc6-795c-64f4-7a02-91effbd34af9 Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b6ad009f-5c24-1dc0-a25e-74b60e4da45f Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b28c8687-4bbd-8614-0b96-cdffa1ac6d9c Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d02498e0-8a6f-6b02-8332-19adf6711d1e Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f476f3b0-4152-526e-a209-44e5f8c968d7 Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 516be556-1353-080d-2c2f-f46f000d5785 Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 04837a26-2601-1982-3da7-bf463e6408f4 Develop configuration management plan CMA_C1232 - Develop configuration management plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 37546841-8ea1-5be0-214d-8ac599588332 Maintain incident response plan CMA_0352 - Maintain incident response plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance eff6e4a5-3efe-94dd-2ed1-25d56a019a82 Distribute policies and procedures CMA_0185 - Distribute policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f741c4e6-41eb-15a4-25a2-61ac7ca232f0 Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Security Center 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 898a5781-2254-5a37-34c7-d78ea7c20d55 Publish SORNs for systems containing PII CMA_C1862 - Publish SORNs for systems containing PII Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c8aa992d-76b7-7ca0-07b3-31a58d773fa9 Employ automated training environment CMA_C1357 - Employ automated training environment Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance bbb2e6d6-085f-5a35-a55d-e45daad38933 Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Security Center a21f8c92-9e22-4f09-b759-50500d1d2dda [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4ce91e4e-6dab-3c46-011a-aa14ae1561bf Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0471c6b7-1588-701c-2713-1fade73b75f6 Display an explicit logout message CMA_C1056 - Display an explicit logout message Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f9ec3263-9562-1768-65a1-729793635a8d Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9e3c505e-7aeb-2096-3417-b132242731fc Review content prior to posting publicly accessible information CMA_C1085 - Review content prior to posting publicly accessible information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c4ccd607-702b-8ae6-8eeb-fc3339cd4b42 Define cryptographic use CMA_0120 - Define cryptographic use Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 91a54089-2d69-0f56-62dc-b6371a1671c0 Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 72889284-15d2-90b2-4b39-a1e9541e1152 Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance eda0cbb7-6043-05bf-645b-67411f1a59b3 Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2cc9c165-46bd-9762-5739-d2aae5ba90a1 Automate account management CMA_0026 - Automate account management Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 509552f5-6528-3540-7959-fbeae4832533 Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance dad8a2e9-6f27-4fc2-8933-7e99fe700c9c Authorize remote access CMA_0024 - Authorize remote access Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1fdf0b24-4043-3c55-357e-036985d50b52 Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 82bd024a-5c99-05d6-96ff-01f539676a1a Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6f3866e8-6e12-69cf-788c-809d426094a1 Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4012c2b7-4e0e-a7ab-1688-4aab43f14420 Map authenticated identities to individuals CMA_0372 - Map authenticated identities to individuals Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 84245967-7882-54f6-2d34-85059f725b47 Establish an information security program CMA_0263 - Establish an information security program Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ff136354-1c92-76dc-2dab-80fb7c6a9f1a Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4502e506-5f35-0df4-684f-b326e3cc7093 Terminate user session automatically CMA_C1054 - Terminate user session automatically Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1fdeb7c4-4c93-8271-a135-17ebe85f1cc7 Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5f2e834d-7e40-a4d5-a216-e49b16955ccf Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ef5a7059-6651-73b1-18b3-75b1b79c1565 Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e8c31e15-642d-600f-78ab-bad47a5787e6 Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 68d2e478-3b19-23eb-1357-31b296547457 Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d6653f89-7cb5-24a4-9d71-51581038231b Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 5d3abfea-a130-1208-29c0-e57de80aa6b0 Review the results of contingency plan testing CMA_C1262 - Review the results of contingency plan testing Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3eabed6d-1912-2d3c-858b-f438d08d0412 Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Monitoring 383c45fa-8b64-4d1c-aa9f-e69d2d879aa4 The legacy Log Analytics extension should not be installed on Linux virtual machine scale sets Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
 new Policy 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f131c8c5-a54a-4888-1efc-158928924bc1 Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Security Center 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8b077bff-516f-3983-6c42-c86e9a11868b Designate individuals to fulfill specific roles and responsibilities CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 39eb03c1-97cc-11ab-0960-6209ed2869f7 Establish a privacy program CMA_0257 - Establish a privacy program Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b7897ddc-9716-2460-96f7-7757ad038cc4 Assign risk designations CMA_0016 - Assign risk designations Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c148208b-1a6f-a4ac-7abc-23b1d41121b1 Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 8a703eb5-4e53-701b-67e4-05ba2f7930c8 Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 096a7055-30cb-2db4-3fda-41b20ac72667 Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 7380631c-5bf5-0e3a-4509-0873becd8a63 Establish a configuration control board CMA_0254 - Establish a configuration control board Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance e3905a3c-97e7-0b4f-15fb-465c0927536f Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6 Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9150259b-617b-596d-3bf5-5ca3fce20335 Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f29b17a4-0df2-8a50-058a-8570f9979d28 Assign system identifiers CMA_0018 - Assign system identifiers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d91558ce-5a5c-551b-8fbb-83f793255e09 Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 098a7b84-1031-66d8-4e78-bd15b5fd2efb Provide privacy notice CMA_0414 - Provide privacy notice Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b2ea1058-8998-3dd1-84f1-82132ad482fd Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b8689b2e-4308-a58b-a0b4-6f3343a000df Use automated mechanisms for security alerts CMA_C1707 - Use automated mechanisms for security alerts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f30edfad-4e1d-1eef-27ee-9292d6d89842 Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance fd81a1b3-2d7a-107c-507e-29b87d040c19 Enforce appropriate usage of all accounts CMA_C1023 - Enforce appropriate usage of all accounts Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ced291b8-1d3d-7e27-40cf-829e9dd523c8 Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 96333008-988d-4add-549b-92b3a8c42063 Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 52375c01-4d4c-7acc-3aa4-5b3d53a047ec Define the duties of processors CMA_0127 - Define the duties of processors Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1afada58-8b34-7ac2-a38a-983218635201 Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b11697e8-9515-16f1-7a35-477d5c8a1344 Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 729c8708-2bec-093c-8427-2e87d2cd426d Automate notification of employee termination CMA_C1521 - Automate notification of employee termination Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4 Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance ece8bb17-4080-5127-915f-dc7267ee8549 Verify security functions CMA_C1708 - Verify security functions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance bb048641-6017-7272-7772-a008f285a520 Develop spillage response procedures CMA_0162 - Develop spillage response procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6c0a312f-04c5-5c97-36a5-e56763a02b6b Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d8350d4c-9314-400b-288f-20ddfce04fbd Define and enforce the limit of concurrent sessions CMA_C1050 - Define and enforce the limit of concurrent sessions Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance f8ded0c6-a668-9371-6bb6-661d58787198 Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d36700f2-2f0d-7c2a-059c-bdadd1d79f70 Establish a risk management strategy CMA_0258 - Establish a risk management strategy Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4 Define mobile device requirements CMA_0122 - Define mobile device requirements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 6f311b49-9b0d-8c67-3d6e-db80ae528173 Bind authenticators and identities dynamically CMA_0035 - Bind authenticators and identities dynamically Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance efef28d0-3226-966a-a1e8-70e89c1b30bc Retain security policies and procedures CMA_0454 - Retain security policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 311802f9-098d-0659-245a-94c5d47c0182 Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance dd6d00a8-701a-5935-a22b-c7b9c0c698b2 Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 526ed90e-890f-69e7-0386-ba5c0f1f784f Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b4512986-80f5-1656-0c58-08866bd2673a Designate authorized personnel to post publicly accessible information CMA_C1083 - Designate authorized personnel to post publicly accessible information Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 4e45863d-9ea9-32b4-a204-2680bc6007a6 Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3b30aa25-0f19-6c04-5ca4-bd3f880a763d Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2b2f3a72-9e68-3993-2b69-13dcdecf8958 Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f Perform vulnerability scans CMA_0393 - Perform vulnerability scans Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 2b05dca2-25ec-9335-495c-29155f785082 Provide security training before providing access CMA_0418 - Provide security training before providing access Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance afd5d60a-48d2-8073-1ec2-6687e22f2ddd Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance db8b35d6-8adb-3f51-44ff-c648ab5b1530 Employ FICAM-approved resources to accept third-party credentials CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 16c54e01-9e65-7524-7c33-beda48a75779 Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance c7fddb0e-3f44-8635-2b35-dc6b8e740b7c Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 97cfd944-6f0c-7db2-3796-8e890ef70819 Establish conditions for role membership CMA_0269 - Establish conditions for role membership Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance b3c8cc83-20d3-3890-8bc8-5568777670f4 Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance adf517f3-6dcd-3546-9928-34777d0c277e Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 0fd1ca29-677b-2f12-1879-639716459160 Maintain data breach records CMA_0351 - Maintain data breach records Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 48c816c5-2190-61fc-8806-25d6f3df162f Monitor access across the organization CMA_0376 - Monitor access across the organization Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance fe2dff43-0a8c-95df-0432-cb1c794b17d0 Notify users of system logon or access CMA_0382 - Notify users of system logon or access Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance d661e9eb-4e15-5ba1-6f02-cdc467db0d6c Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance bd4dc286-2f30-5b95-777c-681f3a7913d3 Establish and document change control processes CMA_0265 - Establish and document change control processes Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Regulatory Compliance 3153d9c0-2584-14d3-362d-578b01358aeb Retain training records CMA_0456 - Retain training records Default
Manual
Allowed
Manual, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-09-27 16:35:32 BuiltIn
Security Center 1288c8d7-4b05-4e3a-bc88-9053caefc021 Configure ChangeTracking Extension for Linux virtual machine scale sets Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-09-23 16:35:49 BuiltIn
Security Center 10caed8a-652c-4d1d-84e4-2805b7c07278 Configure ChangeTracking Extension for Linux Arc machines Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-09-23 16:35:49 BuiltIn
Network 711c24bb-7f18-4578-b192-81a6161e1f17 [Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-09-23 16:35:49 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4cd5 Configure ChangeTracking Extension for Windows Arc machines Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-09-23 16:35:49 BuiltIn
Security Center ec88097d-843f-4a92-8471-78016d337ba4 Configure ChangeTracking Extension for Linux virtual machines Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-09-23 16:35:49 BuiltIn
Network 6484db87-a62d-4327-9f07-80a2cbdf333a [Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-09-23 16:35:49 BuiltIn
Storage 2fb86bf3-d221-43d1-96d1-2434af34eaa0 Configure diagnostic settings for Table Services to Log Analytics workspace Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-09-23 16:35:49 BuiltIn
Monitoring ba6881f9-ab93-498b-8bad-bb91b1d755bf The legacy Log Analytics extension should not be installed on virtual machine scale sets Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
 new Policy 2022-09-23 16:35:49 BuiltIn
Security Center f08f556c-12ff-464d-a7de-40cb5b6cccec Configure ChangeTracking Extension for Windows virtual machines Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-09-23 16:35:49 BuiltIn
Storage 7bd000e3-37c7-4928-9f31-86c4b77c5c45 Configure diagnostic settings for Queue Services to Log Analytics workspace Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-09-23 16:35:49 BuiltIn
Security Center 9297c21d-2ed6-4474-b48f-163f75654ce3 [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (3.0.0 > 3.0.1) 2022-09-23 16:35:49 BuiltIn
Storage b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb Configure diagnostic settings for Blob Services to Log Analytics workspace Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-09-23 16:35:49 BuiltIn
Guest Configuration 357cbd2d-b5c0-4c73-b40c-6bd84f06ce09 [Preview]: Configure Windows Server to disable local users. Creates a Guest Configuration assignment to configure disabling local users on Windows Server. This ensures that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Guest Configuration Resource Contributor
add
 new Policy 2022-09-23 16:35:49 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d2c Configure ChangeTracking Extension for Windows virtual machine scale sets Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-09-23 16:35:49 BuiltIn
Storage 59759c62-9a22-4cdf-ae64-074495983fef Configure diagnostic settings for Storage Accounts to Log Analytics workspace Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-09-23 16:35:49 BuiltIn
Network 632d3993-e2c0-44ea-a7db-2eca131f356d [Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway This policy is deprecated because sometimes it is impractical to enable all WAF rules. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-09-23 16:35:49 BuiltIn
Storage 25a70cc8-2bd4-47f1-90b6-1478e4662c96 Configure diagnostic settings for File Services to Log Analytics workspace Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-09-23 16:35:49 BuiltIn
Network f516dc7a-4543-4d40-aad6-98f76a706b50 [Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-09-23 16:35:49 BuiltIn
Monitoring df441472-4dae-4e4e-87b9-9205ba46be16 The legacy Log Analytics extension should not be installed on Azure Arc enabled Windows servers Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Windows servers. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
 new Policy 2022-09-23 16:35:49 BuiltIn
Storage 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54 Storage accounts should prevent shared key access Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-09-23 16:35:49 BuiltIn
Network 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 [Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-09-23 16:35:49 BuiltIn
Monitoring d2185817-5b7e-473c-aadd-9de6ac114280 The legacy Log Analytics extension should not be installed on virtual machines Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machines. Learn more: https://aka.ms/migratetoAMA Default
Audit
Allowed
Deny, Audit, Disabled
add
 new Policy 2022-09-23 16:35:49 BuiltIn
Network f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf [Deprecated]: Subscription should configure the Azure Firewall Premium to provide additional layer of protection This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-23 16:35:49 BuiltIn
Regulatory Compliance 6baae474-434f-2e91-7163-a72df30c4847 Manage security state of information systems CMA_C1746 - Manage security state of information systems Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ef5a7059-6651-73b1-18b3-75b1b79c1565 Define information security roles and responsibilities CMA_C1565 - Define information security roles and responsibilities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b269a749-705e-8bff-055a-147744675cdf Conduct backup of information system documentation CMA_C1289 - Conduct backup of information system documentation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance a44c9fba-43f8-4b7b-7ee6-db52c96b4366 Facilitate information sharing CMA_0284 - Facilitate information sharing Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 08c11b48-8745-034d-1c1b-a144feec73b9 Restrict use of open source software CMA_C1237 - Restrict use of open source software Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 24b7a1c6-44fe-40cc-a2e6-242d2ef70e98 App Service app slots should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b470a37a-7a47-3792-34dd-7a793140702e Establish relationship between incident response capability and external providers CMA_C1376 - Establish relationship between incident response capability and external providers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 18e9d748-73d4-0c96-55ab-b108bfbd5bc3 Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.1.0 > 2.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance c6fe3856-4635-36b6-983c-070da12a953b Implement the risk management strategy CMA_C1744 - Implement the risk management strategy Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance a4493012-908c-5f48-a468-1e243be884ce Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ba02d0a0-566a-25dc-73f1-101c726a19c5 Implement transaction based recovery CMA_C1296 - Implement transaction based recovery Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (5.0.1 > 6.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 22457e81-3ec6-5271-a786-c3ca284601dd Isolate information spills CMA_0346 - Isolate information spills Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (5.0.1 > 7.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 0065241c-72e9-3b2c-556f-75de66332a94 Establish parameters for searching secret authenticators and verifiers CMA_0274 - Establish parameters for searching secret authenticators and verifiers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 834b7a4a-83ab-2188-1a26-9c5033d8173b Incorporate security and data privacy practices in research processing CMA_0331 - Incorporate security and data privacy practices in research processing Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance c3b3cc61-9c70-5d78-7f12-1aefcc477db7 Review security testing, training, and monitoring plans CMA_C1754 - Review security testing, training, and monitoring plans Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b Configure App Service apps to turn off remote debugging Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.0.0 > 5.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51 Publish access procedures in SORNs CMA_C1848 - Publish access procedures in SORNs Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 0716f0f5-4955-2ccb-8d5e-c6be14d57c0f Ensure resources are authorized CMA_C1159 - Ensure resources are authorized Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance d8350d4c-9314-400b-288f-20ddfce04fbd Define and enforce the limit of concurrent sessions CMA_C1050 - Define and enforce the limit of concurrent sessions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 5f2e834d-7e40-a4d5-a216-e49b16955ccf Establish requirements for internet service providers CMA_0278 - Establish requirements for internet service providers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.0.0 > 5.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance de077e7e-0cc8-65a6-6e08-9ab46c827b05 Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 46ab2c5e-6654-1f58-8c83-e97a44f39308 Identify external service providers CMA_C1591 - Identify external service providers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 08cf2974-d178-48a0-b26d-f6b8e555748b Configure Function app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance e21f91d1-2803-0282-5f2d-26ebc4b170ef Update organizational access agreements CMA_0520 - Update organizational access agreements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance f6da5cca-5795-60ff-49e1-4972567815fe Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance d136ae80-54dd-321c-98b4-17acf4af2169 Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 396f465d-375e-57de-58ba-021adb008191 Invalidate session identifiers at logout CMA_C1661 - Invalidate session identifiers at logout Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 524e7136-9f6a-75ba-9089-501018151346 Document security and privacy training activities CMA_0198 - Document security and privacy training activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (7.0.0 > 8.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 898a5781-2254-5a37-34c7-d78ea7c20d55 Publish SORNs for systems containing PII CMA_C1862 - Publish SORNs for systems containing PII Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service c285a320-8830-4665-9cc7-bbd05fc7c5c0 App Service app slots should require FTPS only Enable FTPS enforcement for enhanced security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 83eea3d3-0d2c-9ccd-1021-2111b29b2a62 Ensure system capable of dynamic isolation of resources CMA_C1638 - Ensure system capable of dynamic isolation of resources Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4 Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance cbfa1bd0-714d-8d6f-0480-2ad6a53972df Define and document government oversight CMA_C1587 - Define and document government oversight Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 22a02c9a-49e4-5dc9-0d14-eb35ad717154 Obtain design and implementation information for the security controls CMA_C1576 - Obtain design and implementation information for the security controls Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 68d2e478-3b19-23eb-1357-31b296547457 Enforce software execution privileges CMA_C1041 - Enforce software execution privileges Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 3bd4e0af-7cbb-a3ec-4918-056a3c017ae2 Keep SORNs updated CMA_C1863 - Keep SORNs updated Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 178c8b7e-1b6e-4289-44dd-2f1526b678a1 Ensure alternate storage site safeguards are equivalent to primary site CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance afd5d60a-48d2-8073-1ec2-6687e22f2ddd Require notification of third-party personnel transfer or termination CMA_C1532 - Require notification of third-party personnel transfer or termination Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance e1379836-3492-6395-451d-2f5062e14136 Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance f801d58e-5659-9a4a-6e8d-02c9334732e5 Restore resources to operational state CMA_C1297 - Restore resources to operational state Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance a30bd8e9-7064-312a-0e1f-e1b485d59f6e Review exploit protection events CMA_0472 - Review exploit protection events Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 06af77de-02ca-0f3e-838a-a9420fe466f5 Establish a discrete line item in budgeting documentation CMA_C1563 - Establish a discrete line item in budgeting documentation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 8b333332-6efd-7c0d-5a9f-d1eb95105214 Employ FIPS 201-approved technology for PIV CMA_C1579 - Employ FIPS 201-approved technology for PIV Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 20012034-96f0-85c2-4a86-1ae1eb457802 Review and update risk assessment policies and procedures CMA_C1537 - Review and update risk assessment policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 8f835d6a-4d13-9a9c-37dc-176cebd37fda Document wireless access security controls CMA_C1695 - Document wireless access security controls Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service dcbc65aa-59f3-4239-8978-3bb869d82604 App Service apps should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance cf79f602-1e60-5423-6c0c-e632c2ea1fc0 Implement controls to protect PII CMA_C1839 - Implement controls to protect PII Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 015b4935-448a-8684-27c0-d13086356c33 Implement a threat awareness program CMA_C1758 - Implement a threat awareness program Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (5.0.0 > 6.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 037c0089-6606-2dab-49ad-437005b5035f Identify incident response personnel CMA_0301 - Identify incident response personnel Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 9c954fcf-6dd8-81f1-41b5-832ae5c62caf Incorporate simulated contingency training CMA_C1260 - Incorporate simulated contingency training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance de936662-13dc-204c-75ec-1af80f994088 Provide contingency training CMA_0412 - Provide contingency training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 449ebb52-945b-36e5-3446-af6f33770f8f Update the security authorization CMA_C1160 - Update the security authorization Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 7fc1f0da-0050-19bb-3d75-81ae15940df6 Provide monitoring information as needed CMA_C1689 - Provide monitoring information as needed Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Network e920df7f-9a64-4066-9b58-52684c02a091 Configure network security groups to enable traffic analytics Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2022-09-19 17:41:40 BuiltIn
Storage 7bd000e3-37c7-4928-9f31-86c4b77c5c45 Configure diagnostic settings for Queue Services to Log Analytics workspace Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.0 > 2.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 75b42dcf-7840-1271-260b-852273d7906e Develop contingency planning policies and procedures CMA_0156 - Develop contingency planning policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 3a868d0c-538f-968b-0191-bddb44da5b75 Require developers to document approved changes and potential impact CMA_C1597 - Require developers to document approved changes and potential impact Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b33d61c1-7463-7025-0ec0-a47585b59147 Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 74041cfe-3f87-1d17-79ec-34ca5f895542 Produce complete records of remote maintenance activities CMA_C1403 - Produce complete records of remote maintenance activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 4012c2b7-4e0e-a7ab-1688-4aab43f14420 Map authenticated identities to individuals CMA_0372 - Map authenticated identities to individuals Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b8689b2e-4308-a58b-a0b4-6f3343a000df Use automated mechanisms for security alerts CMA_C1707 - Use automated mechanisms for security alerts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 5bac5fb7-7735-357b-767d-02264bfe5c3b Perform all non-local maintenance CMA_C1417 - Perform all non-local maintenance Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance dd2523d5-2db3-642b-a1cf-83ac973b32c2 Establish benchmarks for flaw remediation CMA_C1675 - Establish benchmarks for flaw remediation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 70057208-70cc-7b31-3c3a-121af6bc1966 Secure commitment from leadership CMA_0489 - Secure commitment from leadership Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 2e7a98c9-219f-0d58-38dc-d69038224442 Protect the information security program plan CMA_C1732 - Protect the information security program plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 91cf132e-0c9f-37a8-a523-dc6a92cd2fb2 Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service fd34e936-069e-4fe5-bac6-f7c9824caab6 App Service app slots should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 28aa060e-25c7-6121-05d8-a846f11433df Review and update planning policies and procedures CMA_C1491 - Review and update planning policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance d91558ce-5a5c-551b-8fbb-83f793255e09 Route traffic through authenticated proxy network CMA_C1633 - Route traffic through authenticated proxy network Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 096a7055-30cb-2db4-3fda-41b20ac72667 Require interconnection security agreements CMA_C1151 - Require interconnection security agreements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 84a01872-5318-049e-061e-d56734183e84 Distribute information system documentation CMA_C1584 - Distribute information system documentation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (5.0.0 > 6.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 3153d9c0-2584-14d3-362d-578b01358aeb Retain training records CMA_0456 - Retain training records Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ab02bb73-4ce1-89dd-3905-d93042809ba0 Align business objectives and IT goals CMA_0008 - Align business objectives and IT goals Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b9d45adb-471b-56a5-64d2-5b241f126174 Automate privacy controls CMA_C1817 - Automate privacy controls Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.2.1 > 7.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 0f31d98d-5ce2-705b-4aa5-b4f6705110dd Prepare alternate processing site for use as operational site CMA_C1278 - Prepare alternate processing site for use as operational site Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.0.1 > 4.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b65c5d8e-9043-9612-2c17-65f231d763bb Employ independent assessors to conduct security control assessments CMA_C1148 - Employ independent assessors to conduct security control assessments Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 80029bc5-834f-3a9c-a2d8-acbc1aab4e9f Employ restrictions on external system interconnections CMA_C1155 - Employ restrictions on external system interconnections Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 1a2a03a4-9992-5788-5953-d8f6615306de Govern policies and procedures CMA_0292 - Govern policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 95eb7d09-9937-5df9-11d9-20317e3f60df Provide formal notice to individuals CMA_C1864 - Provide formal notice to individuals Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b320aa42-33b4-53af-87ce-100091d48918 Document third-party personnel security requirements CMA_C1531 - Document third-party personnel security requirements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 22c16ae4-19d0-29cb-422f-cb44061180ee Disable user accounts posing a significant risk CMA_C1026 - Disable user accounts posing a significant risk Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance c7e8ddc1-14aa-1814-7fe1-aad1742b27da Enforce expiration of cached authenticators CMA_C1343 - Enforce expiration of cached authenticators Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 00f12b6f-10d7-8117-9577-0f2b76488385 Integrate risk management process into SDLC CMA_C1567 - Integrate risk management process into SDLC Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Network 5e1cd26a-5090-4fdb-9d6a-84a90335e22d Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2022-09-19 17:41:40 BuiltIn
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-19 17:41:40 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.0.1 > 7.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 76d66b5c-85e4-93f5-96a5-ebb2fad61dc6 Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance eda0cbb7-6043-05bf-645b-67411f1a59b3 Ensure there are no unencrypted static authenticators CMA_C1340 - Ensure there are no unencrypted static authenticators Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance e4054c0e-1184-09e6-4c5e-701e0bc90f81 Report atypical behavior of user accounts CMA_C1025 - Report atypical behavior of user accounts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.0.1 > 5.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 53fc1282-0ee3-2764-1319-e20143bb0ea5 Review contingency plan CMA_C1247 - Review contingency plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, suffix remains equal (1.1.0-preview > 2.1.0-preview) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 2af4640d-11a6-a64b-5ceb-a468f4341c0c Define and enforce inactivity log policy CMA_C1017 - Define and enforce inactivity log policy Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b8587fce-138f-86e8-33a3-c60768bf1da6 Automate remote maintenance activities CMA_C1402 - Automate remote maintenance activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 59f7feff-02aa-6539-2cf7-bea75b762140 Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance aa305b4d-8c84-1754-0c74-dec004e66be0 Develop contingency plan CMA_C1244 - Develop contingency plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71 Function app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 14a4fd0a-9100-1e12-1362-792014a28155 Update contingency plan CMA_C1248 - Update contingency plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 20762f1e-85fb-31b0-a600-e833633f10fe Reveal error messages CMA_C1725 - Reveal error messages Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance bb048641-6017-7272-7772-a008f285a520 Develop spillage response procedures CMA_0162 - Develop spillage response procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 10c3a1b1-29b0-a2d5-8f4c-a284b0f07830 Implement cryptographic mechanisms CMA_C1419 - Implement cryptographic mechanisms Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance d9edcea6-6cb8-0266-a48c-2061fbac4310 Plan for continuance of essential business functions CMA_C1255 - Plan for continuance of essential business functions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9 Review and update personnel security policies and procedures CMA_C1507 - Review and update personnel security policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance c6aeb800-0b19-944d-92dc-59b893722329 Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance e750ca06-1824-464a-2cf3-d0fa754d1cb4 Establish a secure software development program CMA_0259 - Establish a secure software development program Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 0471c6b7-1588-701c-2713-1fade73b75f6 Display an explicit logout message CMA_C1056 - Display an explicit logout message Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance a90c4d44-7fac-8e02-6d5b-0d92046b20e6 Automate flaw remediation CMA_0027 - Automate flaw remediation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance c8aa992d-76b7-7ca0-07b3-31a58d773fa9 Employ automated training environment CMA_C1357 - Employ automated training environment Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ba99d512-3baa-1c38-8b0b-ae16bbd34274 Test contingency plan at an alternate processing location CMA_C1265 - Test contingency plan at an alternate processing location Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 55be3260-a7a2-3c06-7fe6-072d07525ab7 Accept PIV credentials CMA_C1347 - Accept PIV credentials Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 Configure Function apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 1fdeb7c4-4c93-8271-a135-17ebe85f1cc7 Incorporate simulated events into incident response training CMA_C1356 - Incorporate simulated events into incident response training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 77cc89bb-774f-48d7-8a84-fb8c322c3000 Track software license usage CMA_C1235 - Track software license usage Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance f30edfad-4e1d-1eef-27ee-9292d6d89842 Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ff136354-1c92-76dc-2dab-80fb7c6a9f1a Observe and report security weaknesses CMA_0384 - Observe and report security weaknesses Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 6de65dc4-8b4f-34b7-9290-eb137a2e2929 Develop and document application security requirements CMA_0148 - Develop and document application security requirements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 3baee3fd-30f5-882c-018c-cc78703a0106 Employ independent assessors for continuous monitoring CMA_C1168 - Employ independent assessors for continuous monitoring Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 4b8fd5da-609b-33bf-9724-1c946285a14c Notify Account Managers of customer controlled accounts CMA_C1009 - Notify Account Managers of customer controlled accounts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 2401b496-7f23-79b2-9f80-89bb5abf3d4a Protect incident response plan CMA_0405 - Protect incident response plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 5bb220d9-2698-4ee4-8404-b9c30c9df609 [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance d9af7f88-686a-5a8b-704b-eafdab278977 Obtain legal opinion for monitoring system activities CMA_C1688 - Obtain legal opinion for monitoring system activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Storage b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb Configure diagnostic settings for Blob Services to Log Analytics workspace Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.0 > 2.0.0) 2022-09-19 17:41:40 BuiltIn
App Service 2f7c08c2-f671-4282-9fdb-597b6ef2c10d [Deprecated]: App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 56fb5173-3865-5a5d-5fad-ae33e53e1577 Address information security issues CMA_C1742 - Address information security issues Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 3eabed6d-1912-2d3c-858b-f438d08d0412 Ensure external providers consistently meet interests of the customers CMA_C1592 - Ensure external providers consistently meet interests of the customers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b7306e73-0494-83a2-31f5-280e934a8f70 Develop and document a DDoS response plan CMA_0147 - Develop and document a DDoS response plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 5269d7e4-3768-501d-7e46-66c56c15622c Manage contacts for authorities and special interest groups CMA_0359 - Manage contacts for authorities and special interest groups Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 085467a6-9679-5c65-584a-f55acefd0d43 Require developers to implement only approved changes CMA_C1596 - Require developers to implement only approved changes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (5.0.2 > 6.0.0) 2022-09-19 17:41:40 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-09-19 17:41:40 BuiltIn
Storage 25a70cc8-2bd4-47f1-90b6-1478e4662c96 Configure diagnostic settings for File Services to Log Analytics workspace Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.0 > 2.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 3af53f59-979f-24a8-540f-d7cdbc366607 Require users to sign access agreement CMA_0440 - Require users to sign access agreement Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 6a379d74-903b-244a-4c44-838728bea6b0 Analyse data obtained from continuous monitoring CMA_C1169 - Analyse data obtained from continuous monitoring Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 0fd1ca29-677b-2f12-1879-639716459160 Maintain data breach records CMA_0351 - Maintain data breach records Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service a1a22235-dd10-4062-bd55-7d62778f41b0 Function app slots should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 7a114735-a420-057d-a651-9a73cd0416ef Require developers to provide unified security protection approach CMA_C1614 - Require developers to provide unified security protection approach Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 75b9db50-7906-2351-98ae-0458218609e5 Retain accounting of disclosures of information CMA_C1819 - Retain accounting of disclosures of information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 2f204e72-1896-3bf8-75c9-9128b8683a36 Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (3.0.0 > 4.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 6f311b49-9b0d-8c67-3d6e-db80ae528173 Bind authenticators and identities dynamically CMA_0035 - Bind authenticators and identities dynamically Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 725164e5-3b21-1ec2-7e42-14f077862841 Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance c981fa70-2e58-8141-1457-e7f62ebc2ade Document organizational access agreements CMA_0192 - Document organizational access agreements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 6bededc0-2985-54d5-4158-eb8bad8070a0 Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (3.0.0 > 4.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance be1c34ab-295a-07a6-785c-36f63c1d223e Obtain user security function documentation CMA_C1581 - Obtain user security function documentation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance f6794ab8-9a7d-3b24-76ab-265d3646232b Provide role-based training on suspicious activities CMA_C1097 - Provide role-based training on suspicious activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance df54d34f-65f3-39f1-103c-a0464b8615df Manage transfers between standby and active system components CMA_0371 - Manage transfers between standby and active system components Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance d48a6f19-a284-6fc6-0623-3367a74d3f50 Update interconnection security agreements CMA_0519 - Update interconnection security agreements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance dc7ec756-221c-33c8-0afe-c48e10e42321 Verify security controls for external information systems CMA_0541 - Verify security controls for external information systems Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 29acfac0-4bb4-121b-8283-8943198b1549 Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 25a5046c-c423-4805-9235-e844ae9ef49b Configure Function apps to turn off remote debugging Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance d200f199-69f4-95a6-90b0-37ff0cf1040c Provide the capability to extend or limit auditing on customer-deployed resources CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance bf883b14-9c19-0f37-8825-5e39a8b66d5b Perform threat modeling CMA_0392 - Perform threat modeling Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 0a412110-3874-9f22-187a-c7a81c8a6704 Establish alternate storage site to store and retrieve backup information CMA_C1267 - Establish alternate storage site to store and retrieve backup information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 3f1216b0-30ee-1ac9-3899-63eb744e85f5 Obtain Admin documentation CMA_C1580 - Obtain Admin documentation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 92b94485-1c49-3350-9ada-dffe94f08e87 Obtain approvals for acquisitions and outsourcing CMA_C1590 - Obtain approvals for acquisitions and outsourcing Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance db8b35d6-8adb-3f51-44ff-c648ab5b1530 Employ FICAM-approved resources to accept third-party credentials CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance bbb2e6d6-085f-5a35-a55d-e45daad38933 Provide secure name and address resolution services CMA_0416 - Provide secure name and address resolution services Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 464a7d7a-2358-4869-0b49-6d582ca21292 Ensure capital planning and investment requests include necessary resources CMA_C1734 - Ensure capital planning and investment requests include necessary resources Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 44b71aa8-099d-8b97-1557-0e853ec38e0d Obtain functional properties of security controls CMA_C1575 - Obtain functional properties of security controls Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b7897ddc-9716-2460-96f7-7757ad038cc4 Assign risk designations CMA_0016 - Assign risk designations Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6 Review development process, standards and tools CMA_C1610 - Review development process, standards and tools Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 41172402-8d73-64c7-0921-909083c086b0 Not allow for information systems to accompany with individuals CMA_C1182 - Not allow for information systems to accompany with individuals Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance f131c8c5-a54a-4888-1efc-158928924bc1 Require developers to build security architecture CMA_C1612 - Require developers to build security architecture Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (7.0.0 > 8.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 39999038-9ef1-602a-158c-ce2367185230 Define performance metrics CMA_0124 - Define performance metrics Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 4edaca8c-0912-1ac5-9eaa-6a1057740fae Provide capability to disconnect or disable remote access CMA_C1066 - Provide capability to disconnect or disable remote access Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.0.1 > 4.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance f8a63511-66f1-503f-196d-d6217ee0823a Require developers to produce evidence of security assessment plan execution CMA_C1602 - Require developers to produce evidence of security assessment plan execution Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 8b077bff-516f-3983-6c42-c86e9a11868b Designate individuals to fulfill specific roles and responsibilities CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (8.0.0 > 9.0.0) 2022-09-19 17:41:40 BuiltIn
Storage 59759c62-9a22-4cdf-ae64-074495983fef Configure diagnostic settings for Storage Accounts to Log Analytics workspace Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.0 > 2.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance eff6e4a5-3efe-94dd-2ed1-25d56a019a82 Distribute policies and procedures CMA_0185 - Distribute policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 4e400494-53a5-5147-6f4d-718b539c7394 Manage compliance activities CMA_0358 - Manage compliance activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 836f8406-3b8a-11bb-12cb-6c7fa0765668 Develop configuration item identification plan CMA_C1231 - Develop configuration item identification plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 311802f9-098d-0659-245a-94c5d47c0182 Employ boundary protection to isolate information systems CMA_C1639 - Employ boundary protection to isolate information systems Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance db580551-0b3c-4ea1-8a4c-4cdb5feb340f Provide the logout capability CMA_C1055 - Provide the logout capability Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 8e920169-739d-40b5-3f99-c4d855327bb2 Prohibit binary/machine-executable code CMA_C1717 - Prohibit binary/machine-executable code Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance d7c1ecc3-2980-a079-1569-91aec8ac4a77 Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance de251b09-4a5e-1204-4bef-62ac58d47999 Adjust level of audit review, analysis, and reporting CMA_C1123 - Adjust level of audit review, analysis, and reporting Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance e29a8f1b-149b-2fa3-969d-ebee1baa9472 Assign an authorizing official (AO) CMA_C1158 - Assign an authorizing official (AO) Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 7b28ba4f-0a87-46ac-62e1-46b7c09202a8 Monitor account activity CMA_0377 - Monitor account activity Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 13939f8c-4cd5-a6db-9af4-9dfec35e3722 Identify and mitigate potential issues at alternate storage site CMA_C1271 - Identify and mitigate potential issues at alternate storage site Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 7ded6497-815d-6506-242b-e043e0273928 Plan for resumption of essential business functions CMA_C1253 - Plan for resumption of essential business functions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ff1efad2-6b09-54cc-01bf-d386c4d558a8 Secure the interface to external systems CMA_0491 - Secure the interface to external systems Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance e9c60c37-65b0-2d72-6c3c-af66036203ae Review and update contingency planning policies and procedures CMA_C1243 - Review and update contingency planning policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance d25cbded-121e-0ed6-1857-dc698c9095b1 Take action in response to customer information CMA_C1554 - Take action in response to customer information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service e1a09430-221d-4d4c-a337-1edb5a1fa9bb Function app slots should require FTPS only Enable FTPS enforcement for enhanced security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 91a54089-2d69-0f56-62dc-b6371a1671c0 Resume all mission and business functions CMA_C1254 - Resume all mission and business functions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance eb8a8df9-521f-3ccd-7e2c-3d1fcc812340 Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 92a7591f-73b3-1173-a09c-a08882d84c70 Identify actions allowed without authentication CMA_0295 - Identify actions allowed without authentication Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b262e1dd-08e9-41d4-963a-258909ad794b Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service cae7c12e-764b-4c87-841a-fdc6675d196f App Service app slots should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance edcc36f1-511b-81e0-7125-abee29752fe7 Manage availability and capacity CMA_0356 - Manage availability and capacity Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 98e33927-8d7f-6d5f-44f5-2469b40b7215 Implement Incident handling capability CMA_C1367 - Implement Incident handling capability Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Storage 2fb86bf3-d221-43d1-96d1-2434af34eaa0 Configure diagnostic settings for Table Services to Log Analytics workspace Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.0 > 2.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ced291b8-1d3d-7e27-40cf-829e9dd523c8 Review and update the information security architecture CMA_C1504 - Review and update the information security architecture Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance bd6cbcba-4a2d-507c-53e3-296b5c238a8e Develop and document a business continuity and disaster recovery plan CMA_0146 - Develop and document a business continuity and disaster recovery plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b544f797-a73b-1be3-6d01-6b1a085376bc Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.0.2 > 7.0.0) 2022-09-19 17:41:40 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.0.2 > 7.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 4c385143-09fd-3a34-790c-a5fd9ec77ddc Provide role-based security training CMA_C1094 - Provide role-based security training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ced727b3-005e-3c5b-5cd5-230b79d56ee8 Implement a fault tolerant name/address service CMA_0305 - Implement a fault tolerant name/address service Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 04837a26-2601-1982-3da7-bf463e6408f4 Develop configuration management plan CMA_C1232 - Develop configuration management plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.0.1 > 5.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 1fdf0b24-4043-3c55-357e-036985d50b52 Ensure security safeguards not needed when the individuals return CMA_C1183 - Ensure security safeguards not needed when the individuals return Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 098dcde7-016a-06c3-0985-0daaf3301d3a Distribute authenticators CMA_0184 - Distribute authenticators Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance eb598832-4bcc-658d-4381-3ecbe17b9866 Provide timely maintenance support CMA_C1425 - Provide timely maintenance support Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance dd6d00a8-701a-5935-a22b-c7b9c0c698b2 Isolate SecurID systems, Security Incident Management systems CMA_C1636 - Isolate SecurID systems, Security Incident Management systems Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 57adc919-9dca-817c-8197-64d812070316 Develop an enterprise architecture CMA_C1741 - Develop an enterprise architecture Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (8.0.0 > 9.0.0) 2022-09-19 17:41:40 BuiltIn
App Service a096cbd0-4693-432f-9374-682f485f23f3 Configure Function apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance a8df9c78-4044-98be-2c05-31a315ac8957 Conform to FICAM-issued profiles CMA_C1350 - Conform to FICAM-issued profiles Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb Document customer-defined actions CMA_C1582 - Document customer-defined actions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 677e1da4-00c3-287a-563d-f4a1cf9b99a0 Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 72d04c29-f87d-4575-9731-419ff16a2757 App Service apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance dad1887d-161b-7b61-2e4d-5124a7b5724e Measure the time between flaw identification and flaw remediation CMA_C1674 - Measure the time between flaw identification and flaw remediation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 3054c74b-9b45-2581-56cf-053a1a716c39 Accept assessment results CMA_C1150 - Accept assessment results Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance a28323fe-276d-3787-32d2-cef6395764c4 Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 2067b904-9552-3259-0cdd-84468e284b7c Review and update system maintenance policies and procedures CMA_C1395 - Review and update system maintenance policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance cdcb825f-a0fb-31f9-29c1-ab566718499a Publish Computer Matching Agreements on public website CMA_C1829 - Publish Computer Matching Agreements on public website Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 279052a0-8238-694d-9661-bf649f951747 Identify contaminated systems and components CMA_0300 - Identify contaminated systems and components Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (5.0.0 > 6.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 27ce30dd-3d56-8b54-6144-e26d9a37a541 Ensure audit records are not altered CMA_C1125 - Ensure audit records are not altered Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 2d2ca910-7957-23ee-2945-33f401606efc Accept only FICAM-approved third-party credentials CMA_C1348 - Accept only FICAM-approved third-party credentials Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d Configure App Service apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance bfc540fe-376c-2eef-4355-121312fa4437 Maintain separate execution domains for running processes CMA_C1665 - Maintain separate execution domains for running processes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 33d34fac-56a8-1c0f-0636-3ed94892a709 Govern the allocation of resources CMA_0293 - Govern the allocation of resources Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 16c54e01-9e65-7524-7c33-beda48a75779 Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service eaebaea7-8013-4ceb-9d14-7eb32271373c [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-19 17:41:40 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.0.1 > 5.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 94c842e3-8098-38f9-6d3f-8872b790527d Remove or redact any PII CMA_C1833 - Remove or redact any PII Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2 Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 09960521-759e-5d12-086f-4192a72a5e92 Protect administrator and user documentation CMA_C1583 - Protect administrator and user documentation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.0.1 > 5.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance b4e19d22-8c0e-7cad-3219-c84c62dc250f Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 611ebc63-8600-50b6-a0e3-fef272457132 Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance a1334a65-2622-28ee-5067-9d7f5b915cc5 Communicate contingency plan changes CMA_C1249 - Communicate contingency plan changes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 82bd024a-5c99-05d6-96ff-01f539676a1a Monitor security and privacy training completion CMA_0379 - Monitor security and privacy training completion Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 13bcff5d-f0eb-4ce7-913e-83ad6300376b Function app slots should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ca6d7878-3189-1833-4620-6c7254ed1607 Obtain continuous monitoring plan for security controls CMA_C1577 - Obtain continuous monitoring plan for security controls Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (7.0.0 > 8.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ffea18d9-13de-6505-37f3-4c1f88070ad7 Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 69d90ee6-9f9f-262a-2038-d909fb4e5723 Identify spilled information CMA_0303 - Identify spilled information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service cf9ca02d-383e-4506-a421-258cc1a5300d [Deprecated]: Function app slots should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance cb8841d4-9d13-7292-1d06-ba4d68384681 Perform a business impact assessment and application criticality assessment CMA_0386 - Perform a business impact assessment and application criticality assessment Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 12af7c7a-92af-9e96-0d0c-5e732d1a3751 Ensure information system fails in known state CMA_C1662 - Ensure information system fails in known state Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (7.0.1 > 8.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 3eecf628-a1c8-1b48-1b5c-7ca781e97970 Specify permitted actions associated with customer audit information CMA_C1122 - Specify permitted actions associated with customer audit information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 318b2bd9-9c39-9f8b-46a7-048401f33476 Address coding vulnerabilities CMA_0003 - Address coding vulnerabilities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (8.0.0 > 9.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 6c79c3e5-5f7b-a48a-5c7b-8c158bc01115 Ensure security categorization is approved CMA_C1540 - Ensure security categorization is approved Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance f49925aa-9b11-76ae-10e2-6e973cc60f37 Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 21832235-7a07-61f4-530d-d596f76e5b95 Implement security testing, training, and monitoring plans CMA_C1753 - Implement security testing, training, and monitoring plans Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 729c8708-2bec-093c-8427-2e87d2cd426d Automate notification of employee termination CMA_C1521 - Automate notification of employee termination Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 171e377b-5224-4a97-1eaa-62a3b5231dac Generate internal security alerts CMA_C1704 - Generate internal security alerts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (5.0.1 > 6.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance e7589f4e-1e8b-72c2-3692-1e14d7f3699f Ensure access agreements are signed or resigned timely CMA_C1528 - Ensure access agreements are signed or resigned timely Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 245fe58b-96f8-9f1e-48c5-7f49903f66fd Establish alternate storage site that facilitates recovery operations CMA_C1270 - Establish alternate storage site that facilitates recovery operations Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 0dcbaf2f-075e-947b-8f4c-74ecc5cd302c Identify individuals with security roles and responsibilities CMA_C1566 - Identify individuals with security roles and responsibilities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance adf517f3-6dcd-3546-9928-34777d0c277e Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.2 > 2.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 60442979-6333-85f0-84c5-b887bac67448 Evaluate alternate processing site capabilities CMA_C1266 - Evaluate alternate processing site capabilities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 3e37c891-840c-3eb4-78d2-e2e0bb5063e0 Require developers to describe accurate security functionality CMA_C1613 - Require developers to describe accurate security functionality Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 0040d2e5-2779-170d-6a2c-1f5fca353335 Restrict location of information processing, storage and services CMA_C1593 - Restrict location of information processing, storage and services Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 81b6267b-97a7-9aa5-51ee-d2584a160424 Create separate alternate and primary storage sites CMA_C1269 - Create separate alternate and primary storage sites Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 90a156a6-49ed-18d1-1052-69aac27c05cd Allocate resources in determining information system requirements CMA_C1561 - Allocate resources in determining information system requirements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance f3c17714-8ce7-357f-4af2-a0baa63a063f Make SORNs available publicly CMA_C1865 - Make SORNs available publicly Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 4e45863d-9ea9-32b4-a204-2680bc6007a6 Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 03d550b4-34ee-03f4-515f-f2e2faf7a413 Review access control policies and procedures CMA_0457 - Review access control policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
App Service 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 Function apps should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance ca748dfe-3e28-1d18-4221-89aea30aa0a5 Identify status of individual users CMA_C1316 - Identify status of individual users Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 96333008-988d-4add-549b-92b3a8c42063 Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 874a6f2e-2098-53bc-3a16-20dcdc425a7e Create configuration plan protection CMA_C1233 - Create configuration plan protection Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68 Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance f7eb1d0b-6d4f-2d59-1591-7563e11a9313 Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance e7422f08-65b4-50e4-3779-d793156e0079 Develop a concept of operations (CONOPS) CMA_0141 - Develop a concept of operations (CONOPS) Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 676c3c35-3c36-612c-9523-36d266a65000 Require developers to provide training CMA_C1611 - Require developers to provide training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 2d14ff7e-6ff9-838c-0cde-4962ccdb1689 Employ business case to record the resources required CMA_C1735 - Employ business case to record the resources required Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 25a1f840-65d0-900a-43e4-bee253de04de Define requirements for managing assets CMA_0125 - Define requirements for managing assets Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance e54901fe-42c2-7f3b-3c5f-327aa5320a69 Automate information sharing decisions CMA_0028 - Automate information sharing decisions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-19 17:41:40 BuiltIn
Regulatory Compliance 8747b573-8294-86a0-8914-49e9b06a5ace Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 496b407d-9b9e-81e8-4ba4-44bc686b016a Conduct exit interview upon termination CMA_0058 - Conduct exit interview upon termination Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Synapse 1e5ed725-f16c-478b-bd4b-7bfa2f7940b9 Configure Azure Synapse workspaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Major (1.0.0 > 2.0.0) 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 08ad71d0-52be-6503-4908-e015460a16ae Require use of individual authenticators CMA_C1305 - Require use of individual authenticators Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 0a24f5dc-8c40-94a7-7aee-bb7cd4781d37 Issue guidelines for ensuring data quality and integrity CMA_C1824 - Issue guidelines for ensuring data quality and integrity Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 2b05dca2-25ec-9335-495c-29155f785082 Provide security training before providing access CMA_0418 - Provide security training before providing access Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 623b5f0a-8cbd-03a6-4892-201d27302f0c Define information system account types CMA_0121 - Define information system account types Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance afbecd30-37ee-a27b-8e09-6ac49951a0ee Establish security requirements for the manufacturing of connected devices CMA_0279 - Establish security requirements for the manufacturing of connected devices Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba Review file and folder activity CMA_0473 - Review file and folder activity Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 6228396e-2ace-7ca5-3247-45767dbf52f4 Notify personnel upon sanctions CMA_0380 - Notify personnel upon sanctions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5decc032-95bd-2163-9549-a41aba83228e Implement formal sanctions process CMA_0317 - Implement formal sanctions process Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d02498e0-8a6f-6b02-8332-19adf6711d1e Develop organization code of conduct policy CMA_0159 - Develop organization code of conduct policy Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8aec4343-9153-9641-172c-defb201f56b3 Review cloud identity report overview CMA_0468 - Review cloud identity report overview Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b3c8cc83-20d3-3890-8bc8-5568777670f4 Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance eaaae23f-92c9-4460-51cf-913feaea4d52 Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 13efd2d7-3980-a2a4-39d0-527180c009e8 Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 60ee1260-97f0-61bb-8155-5d8b75743655 Separate duties of individuals CMA_0492 - Separate duties of individuals Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 1cb7bf71-841c-4741-438a-67c65fdd7194 Provide security training for new users CMA_0419 - Provide security training for new users Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5e4e9685-3818-5934-0071-2620c4fa2ca5 Retain previous versions of baseline configs CMA_C1181 - Retain previous versions of baseline configs Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 477bd136-7dd9-55f8-48ac-bae096b86a07 Develop POA&M CMA_C1156 - Develop POA&M Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Monitoring 17b3de92-f710-4cf4-aa55-0e7859f1ed7b [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Contributor
Managed Identity Operator
Virtual Machine Contributor
change
 Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) 2022-09-13 16:35:29 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (2.1.0 > 3.0.0) 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8c5d3d8d-5cba-0def-257c-5ab9ea9644dc Perform a risk assessment CMA_0388 - Perform a risk assessment Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance cc057769-01d9-95ad-a36f-1e62a7f9540b Update POA&M items CMA_C1157 - Update POA&M items Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 36b74844-4a99-4c80-1800-b18a516d1585 Control use of portable storage devices CMA_0083 - Control use of portable storage devices Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 2d4d0e90-32d9-4deb-2166-a00d51ed57c0 Provide information spillage training CMA_0413 - Provide information spillage training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d93fe1be-13e4-421d-9c21-3158e2fa2667 Implement plans of action and milestones for security program process CMA_C1737 - Implement plans of action and milestones for security program process Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance f27a298f-9443-014a-0d40-fef12adf0259 Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8e49107c-3338-40d1-02aa-d524178a2afe Deliver security assessment results CMA_C1147 - Deliver security assessment results Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b6b32f80-a133-7600-301e-398d688e7e0c Evaluate and review PII holdings regularly CMA_C1832 - Evaluate and review PII holdings regularly Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (2.1.0 > 3.0.0) 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8eea8c14-4d93-63a3-0c82-000343ee5204 Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5b802722-71dd-a13d-2e7e-231e09589efb Implement privileged access for executing vulnerability scanning activities CMA_C1555 - Implement privileged access for executing vulnerability scanning activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 26d178a4-9261-6f04-a100-47ed85314c6e Implement security directives CMA_C1706 - Implement security directives Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 37b0045b-3887-367b-8b4d-b9a6fa911bb9 Assess information security events CMA_0013 - Assess information security events Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 9b55929b-0101-47c0-a16e-d6ac5c7d21f8 Undergo independent security review CMA_0515 - Undergo independent security review Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 80a97208-264e-79da-0cc7-4fca179a0c9c Protect against and prevent data theft from departing employees CMA_0398 - Protect against and prevent data theft from departing employees Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5020f3f4-a579-2f28-72a8-283c5a0b15f9 Restrict communications CMA_0449 - Restrict communications Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 1fb1cb0e-1936-6f32-42fd-89970b535855 Manage nonlocal maintenance and diagnostic activities CMA_0364 - Manage nonlocal maintenance and diagnostic activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 055da733-55c6-9e10-8194-c40731057ec4 Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 98145a9b-428a-7e81-9d14-ebb154a24f93 View and investigate restricted users CMA_0545 - View and investigate restricted users Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 37dbe3dc-0e9c-24fa-36f2-11197cbfa207 Ensure authorized users protect provided authenticators CMA_C1339 - Ensure authorized users protect provided authenticators Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d78f95ba-870a-a500-6104-8a5ce2534f19 Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d42a8f69-a193-6cbc-48b9-04a9e29961f1 Protect wireless access CMA_0411 - Protect wireless access Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance a8f9c283-9a66-3eb3-9e10-bdba95b85884 Run simulation attacks CMA_0486 - Run simulation attacks Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (2.1.0 > 3.0.0) 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0 Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance df2e9507-169b-4114-3a52-877561ee3198 Implement security engineering principles of information systems CMA_0325 - Implement security engineering principles of information systems Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 3881168c-5d38-6f04-61cc-b5d87b2c4c58 Establish third-party personnel security requirements CMA_C1529 - Establish third-party personnel security requirements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8 Prevent split tunneling for remote devices CMA_C1632 - Prevent split tunneling for remote devices Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 67ada943-8539-083d-35d0-7af648974125 Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d4e6a629-28eb-79a9-000b-88030e4823ca Coordinate with external organizations to achieve cross org perspective CMA_C1368 - Coordinate with external organizations to achieve cross org perspective Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 18e7906d-4197-20fa-2f14-aaac21864e71 Document process to ensure integrity of PII CMA_C1827 - Document process to ensure integrity of PII Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 0123edae-3567-a05a-9b05-b53ebe9d3e7e View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 3545c827-26ee-282d-4629-23952a12008b Conduct incident response testing CMA_0060 - Conduct incident response testing Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c42f19c9-5d88-92da-0742-371a0ea03126 Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 11ba0508-58a8-44de-5f3a-9e05d80571da Develop business classification schemes CMA_0155 - Develop business classification schemes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 1e0d5ba8-a433-01aa-829c-86b06c9631ec Include dynamic reconfig of customer deployed resources CMA_C1364 - Include dynamic reconfig of customer deployed resources Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 04b3e7f6-4841-888d-4799-cda19a0084f6 Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 9c93ef57-7000-63fb-9b74-88f2e17ca5d2 Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b5a4be05-3997-1731-3260-98be653610f6 Perform disposition review CMA_0391 - Perform disposition review Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 3c93dba1-84fd-57de-33c7-ef0400a08134 Establish terms and conditions for accessing resources CMA_C1076 - Establish terms and conditions for accessing resources Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 7d70383a-32f4-a0c2-61cf-a134851968c2 Determine legal authority to collect PII CMA_C1800 - Determine legal authority to collect PII Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance f2222056-062d-1060-6dc2-0107a68c34b2 Manage a secure surveillance camera system CMA_0354 - Manage a secure surveillance camera system Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c246d146-82b0-301f-32e7-1065dcd248b7 Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance f8d141b7-4e21-62a6-6608-c79336e36bc9 Establish privacy requirements for contractors and service providers CMA_C1810 - Establish privacy requirements for contractors and service providers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance a465e8e9-0095-85cb-a05f-1dd4960d02af Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 92b49e92-570f-1765-804a-378e6c592e28 Automate process to highlight unreviewed change proposals CMA_C1193 - Automate process to highlight unreviewed change proposals Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 07b42fb5-027e-5a3c-4915-9d9ef3020ec7 Discover any indicators of compromise CMA_C1702 - Discover any indicators of compromise Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08 Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 069101ac-4578-31da-0cd4-ff083edd3eb4 Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 7ad83b58-2042-085d-08f0-13e946f26f89 Update rules of behavior and access agreements every 3 years CMA_0522 - Update rules of behavior and access agreements every 3 years Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 426c172c-9914-10d1-25dd-669641fc1af4 Enable detection of network devices CMA_0220 - Enable detection of network devices Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 34aac8b2-488a-2b96-7280-5b9b481a317a Incorporate flaw remediation into configuration management CMA_C1671 - Incorporate flaw remediation into configuration management Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 58a51cde-008b-1a5d-61b5-d95849770677 Test the business continuity and disaster recovery plan CMA_0509 - Test the business continuity and disaster recovery plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 6c0a312f-04c5-5c97-36a5-e56763a02b6b Review and sign revised rules of behavior CMA_0465 - Review and sign revised rules of behavior Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b6ad009f-5c24-1dc0-a25e-74b60e4da45f Control maintenance and repair activities CMA_0080 - Control maintenance and repair activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8cd815bf-97e1-5144-0735-11f6ddb50a59 Enforce and audit access restrictions CMA_C1203 - Enforce and audit access restrictions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance af5ff768-a34b-720e-1224-e6b3214f3ba6 Establish an alternate processing site CMA_0262 - Establish an alternate processing site Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8bfdbaa6-6824-3fec-9b06-7961bf7389a6 Initiate contingency plan testing corrective actions CMA_C1263 - Initiate contingency plan testing corrective actions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 10874318-0bf7-a41f-8463-03e395482080 Correlate audit records CMA_0087 - Correlate audit records Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 7d10debd-4775-85a7-1a41-7e128e0e8c50 Automate process to prohibit implementation of unapproved changes CMA_C1194 - Automate process to prohibit implementation of unapproved changes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b2ea1058-8998-3dd1-84f1-82132ad482fd Develop and establish a system security plan CMA_0151 - Develop and establish a system security plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 979ed3b6-83f9-26bc-4b86-5b05464700bf Modify access authorizations upon personnel transfer CMA_0374 - Modify access authorizations upon personnel transfer Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 6610f662-37e9-2f71-65be-502bdc2f554d Update rules of behavior and access agreements CMA_0521 - Update rules of behavior and access agreements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 21633c09-804e-7fcd-78e3-635c6bfe2be7 Provide capability to process customer-controlled audit records CMA_C1126 - Provide capability to process customer-controlled audit records Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 4ac81669-00e2-9790-8648-71bc11bc91eb Manage the transportation of assets CMA_0370 - Manage the transportation of assets Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance ad1d562b-a04b-15d3-6770-ed310b601cb5 Publish rules and regulations accessing Privacy Act records CMA_C1847 - Publish rules and regulations accessing Privacy Act records Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 341bc9f1-7489-07d9-4ec6-971573e1546a Define access authorizations to support separation of duties CMA_0116 - Define access authorizations to support separation of duties Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 1beb1269-62ee-32cd-21ad-43d6c9750eb6 Ensure privacy program information is publicly available CMA_C1867 - Ensure privacy program information is publicly available Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 7bdb79ea-16b8-453e-4ca4-ad5b16012414 Transfer backup information to an alternate storage site CMA_C1294 - Transfer backup information to an alternate storage site Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 4f23967c-a74b-9a09-9dc2-f566f61a87b9 Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 509552f5-6528-3540-7959-fbeae4832533 Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 0ba211ef-0e85-2a45-17fc-401d1b3f8f85 Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5715bf33-a5bd-1084-4e19-bc3c83ec1c35 Establish terms and conditions for processing resources CMA_C1077 - Establish terms and conditions for processing resources Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 043c1e56-5a16-52f8-6af8-583098ff3e60 Create a data inventory CMA_0096 - Create a data inventory Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance e8c31e15-642d-600f-78ab-bad47a5787e6 Require third-party providers to comply with personnel security policies and procedures CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c79d378a-2521-822a-0407-57454f8d2c74 Notify upon termination or transfer CMA_0381 - Notify upon termination or transfer Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d Manage maintenance personnel CMA_C1421 - Manage maintenance personnel Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 84245967-7882-54f6-2d34-85059f725b47 Establish an information security program CMA_0263 - Establish an information security program Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 585af6e9-90c0-4575-67a7-2f9548972e32 Review and reevaluate privileges CMA_C1207 - Review and reevaluate privileges Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 52375c01-4d4c-7acc-3aa4-5b3d53a047ec Define the duties of processors CMA_0127 - Define the duties of processors Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 1ee4c7eb-480a-0007-77ff-4ba370776266 Use system clocks for audit records CMA_0535 - Use system clocks for audit records Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 1c258345-5cd4-30c8-9ef3-5ee4dd5231d6 Develop security assessment plan CMA_C1144 - Develop security assessment plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 271a3e58-1b38-933d-74c9-a580006b80aa Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5fe84a4c-1b0c-a738-2aba-ed49c9069d3b Prohibit unfair practices CMA_0396 - Prohibit unfair practices Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 678ca228-042d-6d8e-a598-c58d5670437d Prohibit remote activation of collaborative computing devices CMA_C1648 - Prohibit remote activation of collaborative computing devices Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 1afada58-8b34-7ac2-a38a-983218635201 Define acceptable and unacceptable mobile code technologies CMA_C1651 - Define acceptable and unacceptable mobile code technologies Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 93fa357f-2e38-22a9-5138-8cc5124e1923 Categorize information CMA_0052 - Categorize information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 6abdf7c7-362b-3f35-099e-533ed50988f9 Assign information security representative to change control CMA_C1198 - Assign information security representative to change control Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e Implement methods for consumer requests CMA_0319 - Implement methods for consumer requests Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 42116f15-5665-a52a-87bb-b40e64c74b6c Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 35de8462-03ff-45b3-5746-9d4603c74c56 Implement an insider threat program CMA_C1751 - Implement an insider threat program Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 01ae60e2-38bb-0a32-7b20-d3a091423409 Implement system boundary protection CMA_0328 - Implement system boundary protection Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 29363ae1-68cd-01ca-799d-92c9197c8404 Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 203101f5-99a3-1491-1b56-acccd9b66a9e Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d8bbd80e-3bb1-5983-06c2-428526ec6a63 Establish a password policy CMA_0256 - Establish a password policy Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance f9ec3263-9562-1768-65a1-729793635a8d Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance dbcef108-7a04-38f5-8609-99da110a2a57 Determine information protection needs CMA_C1750 - Determine information protection needs Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928 Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 214ea241-010d-8926-44cc-b90a96d52adc Compile Audit records into system wide audit CMA_C1140 - Compile Audit records into system wide audit Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8019d788-713d-90a1-5570-dac5052f517d Train staff on PII sharing and its consequences CMA_C1871 - Train staff on PII sharing and its consequences Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b8972f60-8d77-1cb8-686f-9c9f4cdd8a59 Use dedicated machines for administrative tasks CMA_0527 - Use dedicated machines for administrative tasks Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 06f84330-4c27-21f7-72cd-7488afd50244 Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (4.0.0 > 5.0.0) 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance eab4450d-9e5c-4f38-0656-2ff8c78c83f3 Document and implement privacy complaint procedures CMA_0189 - Document and implement privacy complaint procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 54a9c072-4a93-2a03-6a43-a060d30383d7 Eradicate contaminated information CMA_0253 - Eradicate contaminated information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 05ec66a2-137c-14b8-8e75-3d7a2bef07f8 Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 70a7a065-a060-85f8-7863-eb7850ed2af9 Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5d3abfea-a130-1208-29c0-e57de80aa6b0 Review the results of contingency plan testing CMA_C1262 - Review the results of contingency plan testing Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c2eabc28-1e5c-78a2-a712-7cc176c44c07 Implement a penetration testing methodology CMA_0306 - Implement a penetration testing methodology Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8b1da407-5e60-5037-612e-2caa1b590719 Record disclosures of PII to third parties CMA_0422 - Record disclosures of PII to third parties Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 27965e62-141f-8cca-426f-d09514ee5216 Establish and maintain an asset inventory CMA_0266 - Establish and maintain an asset inventory Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 4ce91e4e-6dab-3c46-011a-aa14ae1561bf Maintain list of authorized remote maintenance personnel CMA_C1420 - Maintain list of authorized remote maintenance personnel Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 85335602-93f5-7730-830b-d43426fd51fa Integrate Audit record analysis CMA_C1120 - Integrate Audit record analysis Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9 Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c148208b-1a6f-a4ac-7abc-23b1d41121b1 Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance f33c3238-11d2-508c-877c-4262ec1132e1 Recover and reconstitute resources after any disruption CMA_C1295 - Recover and reconstitute resources after any disruption Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 1ff03f2a-974b-3272-34f2-f6cd51420b30 Obscure feedback information during authentication process CMA_C1344 - Obscure feedback information during authentication process Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b8a9bb2f-7290-3259-85ce-dca7d521302d Initiate transfer or reassignment actions CMA_0333 - Initiate transfer or reassignment actions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c5784049-959f-6067-420c-f4cefae93076 Coordinate contingency plans with related plans CMA_0086 - Coordinate contingency plans with related plans Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 72889284-15d2-90b2-4b39-a1e9541e1152 Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance bab9ef1d-a16d-421a-822d-3fa94e808156 Route traffic through managed network access points CMA_0484 - Route traffic through managed network access points Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance fe2dff43-0a8c-95df-0432-cb1c794b17d0 Notify users of system logon or access CMA_0382 - Notify users of system logon or access Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 39eb03c1-97cc-11ab-0960-6209ed2869f7 Establish a privacy program CMA_0257 - Establish a privacy program Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 575ed5e8-4c29-99d0-0e4d-689fb1d29827 Automate approval request for proposed changes CMA_C1192 - Automate approval request for proposed changes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 6f3866e8-6e12-69cf-788c-809d426094a1 Establish electronic signature and certificate requirements CMA_0271 - Establish electronic signature and certificate requirements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 01c387ea-383d-4ca9-295a-977fab516b03 Authorize remote access to privileged commands CMA_C1064 - Authorize remote access to privileged commands Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b28c8687-4bbd-8614-0b96-cdffa1ac6d9c Review and update incident response policies and procedures CMA_C1352 - Review and update incident response policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance ebb0ba89-6d8c-84a7-252b-7393881e43de Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 964b340a-43a4-4798-2af5-7aedf6cb001b Collect PII directly from the individual CMA_C1822 - Collect PII directly from the individual Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance f741c4e6-41eb-15a4-25a2-61ac7ca232f0 Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5226dee6-3420-711b-4709-8e675ebd828f Update information security policies CMA_0518 - Update information security policies Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b4409bff-2287-8407-05fd-c73175a68302 Enforce a limit of consecutive failed login attempts CMA_C1044 - Enforce a limit of consecutive failed login attempts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance e89436d8-6a93-3b62-4444-1d2a42ad56b2 Reevaluate access upon personnel transfer CMA_0424 - Reevaluate access upon personnel transfer Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 77acc53d-0f67-6e06-7d04-5750653d4629 Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 516be556-1353-080d-2c2f-f46f000d5785 Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 6ab47bbf-867e-9113-7998-89b58f77326a Respond to complaints, concerns, or questions timely CMA_C1853 - Respond to complaints, concerns, or questions timely Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 291f20d4-8d93-1d73-89f3-6ce28b825563 Authorize, monitor, and control usage of mobile code technologies CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c7d57a6a-7cc2-66c0-299f-83bf90558f5d Enforce random unique session identifiers CMA_0247 - Enforce random unique session identifiers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8 Automate process to document implemented changes CMA_C1195 - Automate process to document implemented changes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance e4e1f896-8a93-1151-43c7-0ad23b081ee2 Authorize, monitor, and control voip CMA_0025 - Authorize, monitor, and control voip Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 2af551d5-1775-326a-0589-590bfb7e9eb2 Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 62fa14f0-4cbe-762d-5469-0899a99b98aa Explicitly notify use of collaborative computing devices CMA_C1649 - Explicitly notify use of collaborative computing devices Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 37546841-8ea1-5be0-214d-8ac599588332 Maintain incident response plan CMA_0352 - Maintain incident response plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 97cfd944-6f0c-7db2-3796-8e890ef70819 Establish conditions for role membership CMA_0269 - Establish conditions for role membership Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 27ab3ac0-910d-724d-0afa-1a2a01e996c0 Respond to rectification requests CMA_0442 - Respond to rectification requests Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 44f8a42d-739f-8030-89a8-4c2d5b3f6af3 Provide audit review, analysis, and reporting capability CMA_C1124 - Provide audit review, analysis, and reporting capability Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance a08b18c7-9e0a-89f1-3696-d80902196719 Document access privileges CMA_0186 - Document access privileges Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance e6f7b584-877a-0d69-77d4-ab8b923a9650 Document separation of duties CMA_0204 - Document separation of duties Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b0e3035d-6366-2e37-796e-8bcab9c649e6 Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 433de59e-7a53-a766-02c2-f80f8421469a Implement incident handling CMA_0318 - Implement incident handling Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8b1f29eb-1b22-4217-5337-9207cb55231e Perform information input validation CMA_C1723 - Perform information input validation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (2.1.0 > 3.0.0) 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8bb40df9-23e4-4175-5db3-8dba86349b73 Confirm quality and integrity of PII CMA_C1821 - Confirm quality and integrity of PII Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance a930f477-9dcb-2113-8aa7-45bb6fc90861 Review and update the events defined in AU-02 CMA_C1106 - Review and update the events defined in AU-02 Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 35963d41-4263-0ef9-98d5-70eb058f9e3c Establish procedures for initial authenticator distribution CMA_0276 - Establish procedures for initial authenticator distribution Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 4c6df5ff-4ef2-4f17-a516-0da9189c603b Assign account managers CMA_0015 - Assign account managers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c423e64d-995c-9f67-0403-b540f65ba42a Assess Security Controls CMA_C1145 - Assess Security Controls Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance f29b17a4-0df2-8a50-058a-8570f9979d28 Assign system identifiers CMA_0018 - Assign system identifiers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 0bbfd658-93ab-6f5e-1e19-3c1c1da62d01 Keep accurate accounting of disclosures of information CMA_C1818 - Keep accurate accounting of disclosures of information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 2927e340-60e4-43ad-6b5f-7a1468232cc2 Configure detection whitelist CMA_0068 - Configure detection whitelist Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 2b2f3a72-9e68-3993-2b69-13dcdecf8958 Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 6b957f60-54cd-5752-44d5-ff5a64366c93 Develop SSP that meets criteria CMA_C1492 - Develop SSP that meets criteria Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance f48b60c6-4b37-332f-7288-b6ea50d300eb Review controlled folder access events CMA_0471 - Review controlled folder access events Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d18af1ac-0086-4762-6dc8-87cdded90e39 Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance f78fc35e-1268-0bca-a798-afcba9d2330a Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 4781e5fd-76b8-7d34-6df3-a0a7fca47665 Prevent identifier reuse for the defined time period CMA_C1314 - Prevent identifier reuse for the defined time period Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 79c75b38-334b-1a69-65e0-a9d929a42f75 Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance aa0ddd99-43eb-302d-3f8f-42b499182960 Install an alarm system CMA_0338 - Install an alarm system Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 3b30aa25-0f19-6c04-5ca4-bd3f880a763d Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 7a489c62-242c-5db9-74df-c073056d6fa3 Designate personnel to supervise unauthorized maintenance activities CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 0803eaa7-671c-08a7-52fd-ac419f775e75 Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance ffdaa742-0d6f-726f-3eac-6e6c34e36c93 Establish usage restrictions for mobile code technologies CMA_C1652 - Establish usage restrictions for mobile code technologies Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 68a39c2b-0f17-69ee-37a3-aa10f9853a08 Establish voip usage restrictions CMA_0280 - Establish voip usage restrictions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 70fe686f-1f91-7dab-11bf-bca4201e183b Review role group changes weekly CMA_0476 - Review role group changes weekly Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 098a7b84-1031-66d8-4e78-bd15b5fd2efb Provide privacy notice CMA_0414 - Provide privacy notice Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5023a9e7-8e64-2db6-31dc-7bce27f796af Provide privacy notice to the public and to individuals CMA_C1861 - Provide privacy notice to the public and to individuals Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 9e3c505e-7aeb-2096-3417-b132242731fc Review content prior to posting publicly accessible information CMA_C1085 - Review content prior to posting publicly accessible information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance af227964-5b8b-22a2-9364-06d2cb9d6d7c Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 4aacaec9-0628-272c-3e83-0d68446694e0 Manage Authenticators CMA_C1321 - Manage Authenticators Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 92ede480-154e-0e22-4dca-8b46a74a3a51 Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c2cb4658-44dc-9d11-3dad-7c6802dd5ba3 Generate error messages CMA_C1724 - Generate error messages Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d6653f89-7cb5-24a4-9d71-51581038231b Reauthenticate or terminate a user session CMA_0421 - Reauthenticate or terminate a user session Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 34738025-5925-51f9-1081-f2d0060133ed Information security and personal data protection CMA_0332 - Information security and personal data protection Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance fd81a1b3-2d7a-107c-507e-29b87d040c19 Enforce appropriate usage of all accounts CMA_C1023 - Enforce appropriate usage of all accounts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 13ef3484-3a51-785a-9c96-500f21f84edd Information flow control using security policy filters CMA_C1029 - Information flow control using security policy filters Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c6b877a6-5d6d-1862-4b7f-3ccc30b25b63 Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5c40f27b-6791-18c5-3f85-7b863bd99c11 Automate proposed documented changes CMA_C1191 - Automate proposed documented changes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 9ac8621d-9acd-55bf-9f99-ee4212cc3d85 Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b4512986-80f5-1656-0c58-08866bd2673a Designate authorized personnel to post publicly accessible information CMA_C1083 - Designate authorized personnel to post publicly accessible information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance ee67c031-57fc-53d0-0cca-96c4c04345e8 Document and distribute a privacy policy CMA_0188 - Document and distribute a privacy policy Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance f8ded0c6-a668-9371-6bb6-661d58787198 Monitor third-party provider compliance CMA_C1533 - Monitor third-party provider compliance Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 6122970b-8d4a-7811-0278-4c6c68f61e4f Restrict media use CMA_0450 - Restrict media use Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 3ae68d9a-5696-8c32-62d3-c6f9c52e437c Refresh authenticators CMA_0425 - Refresh authenticators Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance ba78efc6-795c-64f4-7a02-91effbd34af9 Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d4f70530-19a2-2a85-6e0c-0c3c465e3325 Make accounting of disclosures available upon request CMA_C1820 - Make accounting of disclosures available upon request Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 57927290-8000-59bf-3776-90c468ac5b4b Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 5c33538e-02f8-0a7f-998b-a4c1e22076d3 Govern compliance of cloud service providers CMA_0290 - Govern compliance of cloud service providers Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d041726f-00e0-41ca-368c-b1a122066482 Provide role-based practical exercises CMA_C1096 - Provide role-based practical exercises Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 23d1a569-2d1e-7f43-9e22-1f94115b7dd5 Identify classes of Incidents and Actions taken CMA_C1365 - Identify classes of Incidents and Actions taken Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 4ee5975d-2507-5530-a20a-83a725889c6f Restrict unauthorized software and firmware installation CMA_C1205 - Restrict unauthorized software and firmware installation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance b5244f81-6cab-3188-2412-179162294996 Review publicly accessible content for nonpublic information CMA_C1086 - Review publicly accessible content for nonpublic information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance aa892c0d-2c40-200c-0dd8-eac8c4748ede Employ automatic emergency lighting CMA_0209 - Employ automatic emergency lighting Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 33602e78-35e3-4f06-17fb-13dd887448e4 Conduct capacity planning CMA_C1252 - Conduct capacity planning Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance e0c480bf-0d68-a42d-4cbb-b60f851f8716 Implement personnel screening CMA_0322 - Implement personnel screening Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 423f6d9c-0c73-9cc6-64f4-b52242490368 Develop security safeguards CMA_0161 - Develop security safeguards Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4 Define mobile device requirements CMA_0122 - Define mobile device requirements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 97f0d974-1486-01e2-2088-b888f46c0589 Train personnel on disclosure of nonpublic information CMA_C1084 - Train personnel on disclosure of nonpublic information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance c72fc0c8-2df8-7506-30be-6ba1971747e1 Automate implementation of approved change notifications CMA_C1196 - Automate implementation of approved change notifications Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8a703eb5-4e53-701b-67e4-05ba2f7930c8 Separate user and information system management functionality CMA_0493 - Separate user and information system management functionality Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 8c255136-994b-9616-79f5-ae87810e0dcf Enable network protection CMA_0238 - Enable network protection Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 1282809c-9001-176b-4a81-260a085f4872 Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 0461cacd-0b3b-4f66-11c5-81c9b19a3d22 Verify inaccurate or outdated PII CMA_C1823 - Verify inaccurate or outdated PII Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 9150259b-617b-596d-3bf5-5ca3fce20335 Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance fc26e2fd-3149-74b4-5988-d64bb90f8ef7 Separately store backup information CMA_C1293 - Separately store backup information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance d36700f2-2f0d-7c2a-059c-bdadd1d79f70 Establish a risk management strategy CMA_0258 - Establish a risk management strategy Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 0f4fa857-079d-9d3d-5c49-21f616189e03 Provide real-time alerts for audit event failures CMA_C1114 - Provide real-time alerts for audit event failures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 9b8b05ec-3d21-215e-5d98-0f7cf0998202 Provide security awareness training for insider threats CMA_0417 - Provide security awareness training for insider threats Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-13 16:35:29 BuiltIn
Regulatory Compliance 50e81644-923d-33fc-6ebb-9733bc8d1a06 Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance a830fe9e-08c9-a4fb-420c-6f6bf1702395 Review account provisioning logs CMA_0460 - Review account provisioning logs Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 2c6bee3a-2180-2430-440d-db3c7a849870 Document security operations CMA_0202 - Document security operations Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 333b4ada-4a02-0648-3d4d-d812974f1bb2 Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 6625638f-3ba1-7404-5983-0ea33d719d34 Review audit data CMA_0466 - Review audit data Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Guest Configuration d96163de-dbe0-45ac-b803-0e9ca0f5764e Windows machines should configure Windows Defender to update protection signatures within one day To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 3d399cf3-8fc6-0efc-6ab0-1412f1198517 Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance fad161f5-5261-401a-22dd-e037bae011bd Review threat protection status weekly CMA_0479 - Review threat protection status weekly Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 1d39b5d9-0392-8954-8359-575ce1957d1a Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 2f20840e-7925-221c-725d-757442753e7c Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 2c843d78-8f64-92b5-6a9b-e8186c0e7eb6 Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance c4ccd607-702b-8ae6-8eeb-fc3339cd4b42 Define cryptographic use CMA_0120 - Define cryptographic use Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 526ed90e-890f-69e7-0386-ba5c0f1f784f Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance e4b00788-7e1c-33ec-0418-d048508e095b Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance af38215f-70c4-0cd6-40c2-c52d86690a45 Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 1bc7fd64-291f-028e-4ed6-6e07886e163f Employ least privilege access CMA_0212 - Employ least privilege access Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 7380631c-5bf5-0e3a-4509-0873becd8a63 Establish a configuration control board CMA_0254 - Establish a configuration control board Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 3ad7f0bc-3d03-0585-4d24-529779bb02c2 Maintain availability of information CMA_C1644 - Maintain availability of information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance c7fddb0e-3f44-8635-2b35-dc6b8e740b7c Identify and manage downstream information exchanges CMA_0298 - Identify and manage downstream information exchanges Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 50e9324a-7410-0539-0662-2c1e775538b7 Authorize and manage access CMA_0023 - Authorize and manage access Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance de770ba6-50dd-a316-2932-e0d972eaa734 Require approval for account creation CMA_0431 - Require approval for account creation Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 59bedbdc-0ba9-39b9-66bb-1d1c192384e6 Control information flow CMA_0079 - Control information flow Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance ae5345d5-8dab-086a-7290-db43a3272198 Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance b8dad106-6444-5f55-307e-1e1cc9723e39 Ensure cryptographic mechanisms are under configuration management CMA_C1199 - Ensure cryptographic mechanisms are under configuration management Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 056a723b-4946-9d2a-5243-3aa27c4d31a1 Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance ece8bb17-4080-5127-915f-dc7267ee8549 Verify security functions CMA_C1708 - Verify security functions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 86ecd378-a3a0-5d5b-207c-05e6aaca43fc Detect network services that have not been authorized or approved CMA_C1700 - Detect network services that have not been authorized or approved Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 [Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day This policy is deprecated because Microsoft 365 App Compliance Program no longer checks schedule frequency on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 7c7032fe-9ce6-9092-5890-87a1a3755db1 Retain terminated user data CMA_0455 - Retain terminated user data Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 7a0ecd94-3699-5273-76a5-edb8499f655a Determine assertion requirements CMA_0136 - Determine assertion requirements Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance f96d2186-79df-262d-3f76-f371e3b71798 Review user privileges CMA_C1039 - Review user privileges Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Security Center f85bf3e0-d513-442e-89c3-1784ad63382b System updates should be installed on your machines (powered by Update Center) Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 48c816c5-2190-61fc-8806-25d6f3df162f Monitor access across the organization CMA_0376 - Monitor access across the organization Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 6f1de470-79f3-1572-866e-db0771352fc8 Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Guest Configuration 2454bbee-dc19-442f-83fc-7f3114cafd91 [Deprecated]: Windows machines should use the default NTP server This policy is deprecated because Microsoft 365 App Compliance Program no longer checks the default NTP server on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 83dfb2b8-678b-20a0-4c44-5c75ada023e6 Document mobility training CMA_0191 - Document mobility training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance f476f3b0-4152-526e-a209-44e5f8c968d7 Establish network segmentation for card holder data environment CMA_0273 - Establish network segmentation for card holder data environment Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance b53aa659-513e-032c-52e6-1ce0ba46582f Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Security Center d31e5c31-63b2-4f12-887b-e49456834fa1 Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance aeed863a-0f56-429f-945d-8bb66bd06841 Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance ed87d27a-9abf-7c71-714c-61d881889da4 Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance e603da3a-8af7-4f8a-94cb-1bcc0e0333d2 Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance c0559109-6a27-a217-6821-5a6d44f92897 Maintain integrity of audit system CMA_C1133 - Maintain integrity of audit system Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 97d91b33-7050-237b-3e23-a77d57d84e13 Issue public key certificates CMA_0347 - Issue public key certificates Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 3d492600-27ba-62cc-a1c3-66eb919f6a0d Document remote access guidelines CMA_0196 - Document remote access guidelines Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 2cc9c165-46bd-9762-5739-d2aae5ba90a1 Automate account management CMA_0026 - Automate account management Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 398fdbd8-56fd-274d-35c6-fa2d3b2755a1 Establish firewall and router configuration standards CMA_0272 - Establish firewall and router configuration standards Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 33832848-42ab-63f3-1a55-c0ad309d44cd Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 4a6f5cbd-6c6b-006f-2bb1-091af1441bce Review malware detections report weekly CMA_0475 - Review malware detections report weekly Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 0e696f5a-451f-5c15-5532-044136538491 Protect audit information CMA_0401 - Protect audit information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Security Center 951c1558-50a5-4ca3-abb6-a93e3e2367a6 Configure Microsoft Defender for SQL to be enabled on Synapse workspaces Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Security Manager
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 55a7f9a0-6397-7589-05ef-5ed59a8149e7 Control physical access CMA_0081 - Control physical access Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 49c23d9b-02b0-0e42-4f94-e8cef1b8381b Audit user account status CMA_0020 - Audit user account status Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance efef28d0-3226-966a-a1e8-70e89c1b30bc Retain security policies and procedures CMA_0454 - Retain security policies and procedures Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance e714b481-8fac-64a2-14a9-6f079b2501a4 Use privileged identity management CMA_0533 - Use privileged identity management Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance b2d3e5a2-97ab-5497-565a-71172a729d93 Protect passwords with encryption CMA_0408 - Protect passwords with encryption Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 10c4210b-3ec9-9603-050d-77e4d26c7ebb Enforce logical access CMA_0245 - Enforce logical access Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance e435f7e3-0dd9-58c9-451f-9b44b96c0232 Implement controls to secure all media CMA_0314 - Implement controls to secure all media Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance be38a620-000b-21cf-3cb3-ea151b704c3b Remediate information system flaws CMA_0427 - Remediate information system flaws Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 7805a343-275c-41be-9d62-7215b96212d8 Reassign or remove user privileges as needed CMA_C1040 - Reassign or remove user privileges as needed Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 2f67e567-03db-9d1f-67dc-b6ffb91312f4 Determine auditable events CMA_0137 - Determine auditable events Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance a315c657-4a00-8eba-15ac-44692ad24423 Protect special information CMA_0409 - Protect special information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance e3905a3c-97e7-0b4f-15fb-465c0927536f Correlate Vulnerability scan information CMA_C1558 - Correlate Vulnerability scan information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance d661e9eb-4e15-5ba1-6f02-cdc467db0d6c Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 873895e8-0e3a-6492-42e9-22cd030e9fcd Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 79f081c7-1634-01a1-708e-376197999289 Review user accounts CMA_0480 - Review user accounts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 63f63e71-6c3f-9add-4c43-64de23e554a7 Manage gateways CMA_0363 - Manage gateways Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 8d140e8b-76c7-77de-1d46-ed1b2e112444 Restrict access to private keys CMA_0445 - Restrict access to private keys Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 32f22cfa-770b-057c-965b-450898425519 Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 8489ff90-8d29-61df-2d84-f9ab0f4c5e84 Notify when account is not needed CMA_0383 - Notify when account is not needed Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance bd4dc286-2f30-5b95-777c-681f3a7913d3 Establish and document change control processes CMA_0265 - Establish and document change control processes Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance e23444b9-9662-40f3-289e-6d25c02b48fa Review label activity and analytics CMA_0474 - Review label activity and analytics Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance db28735f-518f-870e-15b4-49623cbe3aa0 Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 03b6427e-6072-4226-4bd9-a410ab65317e Design an access control model CMA_0129 - Design an access control model Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 34d38ea7-6754-1838-7031-d7fd07099821 Manage system and admin accounts CMA_0368 - Manage system and admin accounts Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 518eafdd-08e5-37a9-795b-15a8d798056d Provide privacy training CMA_0415 - Provide privacy training Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 4502e506-5f35-0df4-684f-b326e3cc7093 Terminate user session automatically CMA_C1054 - Terminate user session automatically Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 058e9719-1ff9-3653-4230-23f76b6492e0 Enforce security configuration settings CMA_0249 - Enforce security configuration settings Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 9c276cf3-596f-581a-7fbd-f5e46edaa0f4 Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance dad8a2e9-6f27-4fc2-8933-7e99fe700c9c Authorize remote access CMA_0024 - Authorize remote access Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Storage f81e3117-0093-4b17-8a60-82363134f0eb Configure secure transfer of data on a storage account Secure transfer is an option that forces storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default
Modify
Allowed
Modify, Disabled 		count: 001
Storage Account Contributor
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 3c9aa856-6b86-35dc-83f4-bc72cec74dea Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65 Update antivirus definitions CMA_0517 - Update antivirus definitions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10 Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f Perform vulnerability scans CMA_0393 - Perform vulnerability scans Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Guest Configuration b3248a42-b1c1-41a4-87bc-8bad3d845589 Windows machines should enable Windows Defender Real-time protection Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance b11697e8-9515-16f1-7a35-477d5c8a1344 Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 5fc24b95-53f7-0ed1-2330-701b539b97fe Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance e336d5f4-4d8f-0059-759c-ae10f63d1747 Enforce user uniqueness CMA_0250 - Enforce user uniqueness Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance b1666a13-8f67-9c47-155e-69e027ff6823 Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance a3e98638-51d4-4e28-910a-60e98c1a756f Configure Azure Audit capabilities CMA_C1108 - Configure Azure Audit capabilities Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 2b4e134f-1e4c-2bff-573e-082d85479b6e Develop an incident response plan CMA_0145 - Develop an incident response plan Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 26daf649-22d1-97e9-2a8a-01b182194d59 Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 79365f13-8ba4-1f6c-2ac4-aa39929f56d0 Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance eb1c944e-0e94-647b-9b7e-fdb8d2af0838 Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Regulatory Compliance 51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7 Define a physical key management process CMA_0115 - Define a physical key management process Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Storage 13502221-8df0-4414-9937-de9c5c4e396b Configure your Storage account public access to be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default
Modify
Allowed
Modify, Disabled 		count: 001
Storage Account Contributor
add
 new Policy 2022-09-02 16:33:37 BuiltIn
Monitoring 08a4470f-b26d-428d-97f4-7e3e9c92b366 Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, new suffix: preview (1.0.0 > 1.1.1-preview) 2022-08-26 16:33:38 BuiltIn
Monitoring 7c4214e9-ea57-487a-b38e-310ec09bc21d [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, new suffix: preview (1.1.0 > 1.1.1-preview) 2022-08-26 16:33:38 BuiltIn
Monitoring 84cfed75-dfd4-421b-93df-725b479d356a Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, new suffix: preview (1.0.0 > 1.1.1-preview) 2022-08-26 16:33:38 BuiltIn
App Service a18c77f2-3d6d-497a-9f61-849a7e8a3b79 Configure App Service app slots to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Regulatory Compliance 7d7a8356-5c34-9a95-3118-1424cfaf192a Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Key Vault 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-08-26 16:33:38 BuiltIn
Machine Learning 679ddf89-ab8f-48a5-9029-e76054077449 Azure Machine Learning Compute Instance should have idle shutdown. Having an idle shutdown schedule reduces cost by shutting down computes that are idle after a pre-determined period of activity. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Monitoring c7f3bf36-b807-4f18-82dc-f480ad713635 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, new suffix: preview (1.1.0 > 1.1.1-preview) 2022-08-26 16:33:38 BuiltIn
Regulatory Compliance 9622aaa9-5c49-40e2-5bf8-660b7cd23deb Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Security Center e54d2be9-5f2e-4d65-98e4-4f0e670b23d6 [Deprecated]: Configure Microsoft Defender for APIs should be enabled This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Storage 59759c62-9a22-4cdf-ae64-074495983fef Configure diagnostic settings for Storage Accounts to Log Analytics workspace Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Storage 6f8f98a4-f108-47cb-8e98-91a0d85cd474 [Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace Deprecated: This policy did not evaluate correctly and has been separated into policies for each of the nested resources. Please see new policies for storage accounts (id: /providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef), blob services (b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb), file (25a70cc8-2bd4-47f1-90b6-1478e4662c96), queue (7bd000e3-37c7-4928-9f31-86c4b77c5c45), and table (2fb86bf3-d221-43d1-96d1-2434af34eaa0). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated) 2022-08-26 16:33:38 BuiltIn
Storage 25a70cc8-2bd4-47f1-90b6-1478e4662c96 Configure diagnostic settings for File Services to Log Analytics workspace Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, new suffix: preview (1.0.0 > 1.1.1-preview) 2022-08-26 16:33:38 BuiltIn
Storage 2fb86bf3-d221-43d1-96d1-2434af34eaa0 Configure diagnostic settings for Table Services to Log Analytics workspace Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Guest Configuration f40c7c00-b4e3-4068-a315-5fe81347a904 [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-08-26 16:33:38 BuiltIn
Batch c520cefc-285f-40f3-86e2-2efc38ef1f64 Configure Batch accounts to disable public network access Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor, new suffix: preview (1.0.0 > 1.1.1-preview) 2022-08-26 16:33:38 BuiltIn
App Service a4af4a39-4135-47fb-b175-47fbdf85311d App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (2.0.0 > 3.0.0) 2022-08-26 16:33:38 BuiltIn
Key Vault 951af2fa-529b-416e-ab6e-066fd85ac459 Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.1 > 2.0.1) 2022-08-26 16:33:38 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, new suffix: preview (1.0.0 > 1.1.1-preview) 2022-08-26 16:33:38 BuiltIn
Regulatory Compliance 1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1 Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, new suffix: preview (1.0.0 > 1.1.1-preview) 2022-08-26 16:33:38 BuiltIn
App Service 0f98368e-36bc-4716-8ac2-8f8067203b63 Configure App Service apps to only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Website Contributor
add
 new Policy 2022-08-26 16:33:38 BuiltIn
App Service ae1b9a8c-dfce-4605-bd91-69213b4a26fc App Service app slots should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Storage 7bd000e3-37c7-4928-9f31-86c4b77c5c45 Configure diagnostic settings for Queue Services to Log Analytics workspace Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Monitoring a0f27bdc-5b15-4810-b81d-7c4df9df1a37 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, new suffix: preview (1.1.0 > 1.1.1-preview) 2022-08-26 16:33:38 BuiltIn
Storage b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb Configure diagnostic settings for Blob Services to Log Analytics workspace Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Monitoring bef3f64c-5290-43b7-85b0-9b254eef4c47 Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-08-26 16:33:38 BuiltIn
Regulatory Compliance f26af0b1-65b6-689a-a03f-352ad2d00f98 Audit privileged functions CMA_0019 - Audit privileged functions Default
Manual
Allowed
Manual, Disabled
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Security Center 7926a6d1-b268-4586-8197-e8ae90c877d7 Microsoft Defender for APIs should be enabled Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-08-26 16:33:38 BuiltIn
Automanage f889cab7-da27-4c41-a3b0-de1f6f87c550 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (2.0.0 > 2.2.0) 2022-08-19 16:33:23 BuiltIn
Kubernetes 5174c1db-ca42-e0d4-b320-4f1cf6a1fa93 Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires a Bucket SecretKey stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-08-19 16:33:23 BuiltIn
Kubernetes f9175d5f-abc8-1dc3-bd3c-5d7476ada3d1 Configure installation of Flux extension on Kubernetes cluster Install Flux extension on Kubernetes cluster to enable deployment of 'fluxconfigurations' in the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-08-19 16:33:23 BuiltIn
Automanage b025cfb4-3702-47c2-9110-87fe0cfcc99b Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.2.0) 2022-08-19 16:33:23 BuiltIn
Kubernetes bf1a31be-3b79-5ba8-c9e0-9a8c9ad9f749 Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-08-19 16:33:23 BuiltIn
Kubernetes 2630c91f-8a20-8f43-14a2-2485b648e2a9 Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS CA Certificate. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-08-19 16:33:23 BuiltIn
Azure Load Testing 65c4f833-1f2e-426c-8780-f6d7593bed7a Azure load testing resource should use customer-managed keys to encrypt data at rest Use customer-managed keys(CMK) to manage the encryption at rest for your Azure Load Testing resource. By default the encryptio is done using Service managed keys, customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/load-testing/how-to-configure-customer-managed-keys?tabs=portal. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-08-19 16:33:23 BuiltIn
Kubernetes b6c7fd52-4723-5f4d-a157-3d39bd16a1d7 Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-08-19 16:33:23 BuiltIn
Kubernetes 83ea2fd1-9eaf-2f6d-f672-cd7b2ac798f6 Configure Kubernetes clusters with Flux v2 configuration using public Git repository Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires no secrets. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-08-19 16:33:23 BuiltIn
Kubernetes b8c1d6c1-6137-97c6-9c34-d4627e54ca26 Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-08-19 16:33:23 BuiltIn
Kubernetes 9e980dca-f3e1-8da3-6717-ad37b1ca6b27 Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a SSH private key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-08-19 16:33:23 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor (2.0.0 > 2.1.0) 2022-08-12 16:33:43 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (2.0.0 > 2.1.0) 2022-08-12 16:33:43 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (2.0.0 > 2.1.0) 2022-08-12 16:33:43 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.0.1 > 3.1.0) 2022-08-12 16:33:43 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-08-12 16:33:43 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-08-12 16:33:43 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (2.0.0 > 2.1.0) 2022-08-12 16:33:43 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-08-12 16:33:43 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (4.0.1 > 4.1.0) 2022-08-12 16:33:43 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (2.0.0 > 2.1.0) 2022-08-12 16:33:43 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor (2.0.0 > 2.1.0) 2022-08-12 16:33:43 BuiltIn
Network a58ac66d-92cb-409c-94b8-8e48d7a96596 [Deprecated]: Azure firewall policy should enable TLS inspection within application rules This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-08-12 16:33:43 BuiltIn
Monitoring 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch (2.1.0 > 2.1.1) 2022-08-09 17:24:03 BuiltIn
Cognitive Services cddd188c-4b82-4c48-a19d-ddf74ee66a01 [Deprecated]: Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
Audit
Allowed
Audit, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-08-09 17:24:03 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2022-08-09 17:24:03 BuiltIn
Security Center 94e1c2ac-cbbe-4cac-a2b5-389c812dee87 Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-08-09 17:24:03 BuiltIn
Monitoring c7f3bf36-b807-4f18-82dc-f480ad713635 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-08-09 17:24:03 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (5.1.1-preview > 5.2.0-preview) 2022-08-09 17:24:03 BuiltIn
Security Center 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 [Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-08-09 17:24:03 BuiltIn
Cognitive Services db630ad5-52e9-4f4d-9c44-53912fe40053 Configure Cognitive Services accounts with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Cognitive Services Contributor
Network Contributor
change
 Major (2.1.0 > 3.0.0) 2022-08-09 17:24:03 BuiltIn
Security Center e9ac8f8e-ce22-4355-8f04-99b911d6be52 Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-08-09 17:24:03 BuiltIn
Security Center 3b1a8e0a-b2e1-48be-9365-28be2fbef550 [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2022-08-09 17:24:03 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview) 2022-08-09 17:24:03 BuiltIn
Cognitive Services 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c Configure Cognitive Services accounts to disable public network access Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
Modify
Allowed
Disabled, Modify 		count: 001
Contributor
change
 Major (2.0.0 > 3.0.0) 2022-08-09 17:24:03 BuiltIn
Security Center c15c5978-ab6e-4599-a1c3-90a7918f5371 [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2022-08-09 17:24:03 BuiltIn
Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed
deployIfNotExists 		count: 001
Log Analytics Contributor
change
 Major (3.0.0 > 4.0.0) 2022-08-09 17:24:03 BuiltIn
Security Center e3e008c3-56b9-4133-8fd7-d3347377402a [Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-08-09 17:24:03 BuiltIn
Cosmos DB a63cc0bd-cda4-4178-b705-37dc439d3e0f Configure CosmosDB accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Major (1.0.0 > 2.0.0) 2022-08-09 17:24:03 BuiltIn
Service Bus cbd11fd3-3002-4907-b6c8-579f0e700e13 Service Bus Namespaces should disable public network access Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-08-09 17:24:03 BuiltIn
Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed
deployIfNotExists 		count: 001
Virtual Machine Contributor
change
 Major (3.0.0 > 4.0.0) 2022-08-09 17:24:03 BuiltIn
Monitoring 187242f4-89c6-4c43-9a4e-188c0efacc5f Resource logs should be enabled for Audit on supported resources Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. The existence of a diagnostic setting for category group Audit on the selected resource types ensures that these logs are enabled and captured. Applicable resource types are those that support the "Audit" category group. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-08-09 17:24:03 BuiltIn
Security Center 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-08-09 17:24:03 BuiltIn
Security Center 931e118d-50a1-4457-a5e4-78550e086c52 [Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-08-09 17:24:03 BuiltIn
Security Center aba46665-c3a7-4319-ace1-a0282deebac2 [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2022-08-09 17:24:03 BuiltIn
Monitoring a0f27bdc-5b15-4810-b81d-7c4df9df1a37 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-08-09 17:24:03 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2022-08-09 17:24:03 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2022-08-09 17:24:03 BuiltIn
Security Center 339353f6-2387-4a45-abe4-7f529d121046 Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-08-09 17:24:03 BuiltIn
Monitoring 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 [Deprecated]: Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
 Major (2.0.1 > 3.0.0) 2022-08-09 17:24:03 BuiltIn
Monitoring 7c4214e9-ea57-487a-b38e-310ec09bc21d [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-08-09 17:24:03 BuiltIn
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca [Deprecated]: Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-08-05 16:32:22 BuiltIn
Azure Ai Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-08-05 16:32:22 BuiltIn
Monitoring 053d3325-282c-4e5c-b944-24faffd30d77 Deploy Log Analytics extension for Linux VMs. See deprecation notice below Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Fixed
deployIfNotExists 		count: 001
Log Analytics Contributor
change
 Major (2.0.1 > 3.0.0) 2022-08-05 16:32:22 BuiltIn
Security Center 0cfea604-3201-4e14-88fc-fae4c427a6c5 Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-08-05 16:32:22 BuiltIn
Monitoring 69af7d4a-7b18-4044-93a9-2651498ef203 Configure Log Analytics extension on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch (2.1.0 > 2.1.1) 2022-07-29 16:32:46 BuiltIn
Lab Services 0fd9915e-cab3-4f24-b200-6e20e1aa276a Lab Services should require non-admin user for labs This policy requires non-admin user accounts to be created for the labs managed through lab-services. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-07-29 16:32:46 BuiltIn
Container Apps 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 Authentication should be enabled on Container Apps Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-29 16:32:46 BuiltIn
Container Apps 8b346db6-85af-419b-8557-92cee2c0f9bb Container App environments should use network injection Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (1.0.1 > 1.0.2) 2022-07-29 16:32:46 BuiltIn
Lab Services a6e9cf2d-7d76-440e-b795-8da246bd3aab Lab Services should enable all options for auto shutdown This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-07-29 16:32:46 BuiltIn
Container Apps 7c9f3fbb-739d-4844-8e42-97e3be6450e0 Container App should configure with volume mount Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-29 16:32:46 BuiltIn
Container Apps b874ab2d-72dd-47f1-8cb5-4a306478a4e7 Managed Identity should be enabled for Container Apps Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-29 16:32:46 BuiltIn
Container Apps 783ea2a8-b8fd-46be-896a-9ae79643a0b1 Container Apps should disable external network access Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-29 16:32:46 BuiltIn
Lab Services 3e13d504-9083-4912-b935-39a085db2249 Lab Services should restrict allowed virtual machine SKU sizes This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-07-29 16:32:46 BuiltIn
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
 Patch (3.0.0 > 3.0.1) 2022-07-29 16:32:46 BuiltIn
Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch (3.0.0 > 3.0.1) 2022-07-29 16:32:46 BuiltIn
Compute 8405fdab-1faf-48aa-b702-999c9c172094 Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-29 16:32:46 BuiltIn
Container Apps d074ddf8-01a5-4b5e-a2b8-964aed452c0a Container Apps environment should disable public network access Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-29 16:32:46 BuiltIn
Lab Services e8a5a3eb-1ab6-4657-a701-7ae432cf14e1 Lab Services should not allow template virtual machines for labs This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-07-29 16:32:46 BuiltIn
Machine Learning e413671a-dd10-4cc1-a943-45b598596cb7 Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibility Azure ML is making a transition to a new V2 API platform on Azure Resource Manager and you can control API platform version using V1LegacyMode parameter. Enabling the V1LegacyMode parameter will enable you to keep your workspaces in the same network isolation as V1, though you won't have use of the new V2 features. We recommend turning on V1 Legacy Mode only when you want to keep the AzureML control plane data inside your private networks. Learn more at: https://aka.ms/V1LegacyMode. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-07-29 16:32:46 BuiltIn
Container Apps 0e80e269-43a4-4ae9-b5bc-178126b8a5cb Container Apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-29 16:32:46 BuiltIn
Compute 8426280e-b5be-43d9-979e-653d12a08638 Configure managed disks to disable public network access Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Major (1.0.0 > 2.0.0) 2022-07-29 16:32:46 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview) 2022-07-29 16:32:46 BuiltIn
Monitoring 08a4470f-b26d-428d-97f4-7e3e9c92b366 Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2022-07-26 16:32:46 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2022-07-26 16:32:46 BuiltIn
Monitoring a0f27bdc-5b15-4810-b81d-7c4df9df1a37 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-07-26 16:32:46 BuiltIn
Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default
Audit
Allowed
Audit, Disabled
change
 Major (1.0.3 > 2.0.0) 2022-07-26 16:32:46 BuiltIn
Monitoring 7c4214e9-ea57-487a-b38e-310ec09bc21d [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-07-26 16:32:46 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2022-07-26 16:32:46 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2022-07-26 16:32:46 BuiltIn
Monitoring c7f3bf36-b807-4f18-82dc-f480ad713635 [Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-07-26 16:32:46 BuiltIn
Monitoring 84cfed75-dfd4-421b-93df-725b479d356a Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2022-07-26 16:32:46 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2022-07-26 16:32:46 BuiltIn
Cognitive Services db630ad5-52e9-4f4d-9c44-53912fe40053 Configure Cognitive Services accounts with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Cognitive Services Contributor
Network Contributor
change
 Minor (2.0.0 > 2.1.0) 2022-07-26 16:32:46 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Major (3.1.1 > 4.0.0) 2022-07-26 16:32:46 BuiltIn
Azure Active Directory 7e4301f9-5f32-4738-ad9f-7ec2d15563ad Configure Private Link for Azure AD to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure AD. Learn more at: https://aka.ms/privateLinkforAzureADDocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-07-22 16:34:49 BuiltIn
Azure Active Directory b923afcf-4c3a-4ed6-8386-1ff64b68de47 Configure Private Link for Azure AD with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-07-22 16:34:49 BuiltIn
SQL 80ed5239-4122-41ed-b54a-6f1fa7552816 Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-07-22 16:34:49 BuiltIn
SQL a6cf7411-da9e-49e2-aec0-cba0250eaf8c Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-07-22 16:34:49 BuiltIn
SQL 6134c3db-786f-471e-87bc-8f479dc890f6 Deploy Advanced Data Security on SQL servers This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. Fixed
DeployIfNotExists 		count: 002
SQL Security Manager
Storage Account Contributor
change
 Minor (1.2.0 > 1.3.0) 2022-07-22 16:34:49 BuiltIn
SQL 9dfea752-dd46-4766-aed1-c355fa93fb91 Azure SQL Managed Instances should disable public network access Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://aka.ms/mi-public-endpoint. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-07-22 16:34:49 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-07-22 16:34:49 BuiltIn
SQL db048e65-913c-49f9-bb5f-1084184671d3 Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-07-22 16:34:49 BuiltIn
Azure Active Directory 2e9411a0-0c5a-44b3-9ddb-ff10a1a2bf28 Azure Active Directory should use private link to access Azure services Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-07-22 16:34:49 BuiltIn
Health Bot 4d080fa5-a6d2-4f98-ba9c-f482d0d335c0 Azure Health Bots should use customer-managed keys to encrypt data at rest Use customer-managed keys (CMK) to manage the encryption at rest of the data of your healthbots. By default, the data is encrypted at rest with service-managed keys, but CMK are commonly required to meet regulatory compliance standards. CMK enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/health-bot/cmk Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-07-15 16:32:44 BuiltIn
Container Registry 785596ed-054f-41bc-aaec-7f3d0ba05725 Configure container registries to disable ARM audience token authentication. Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2022-07-15 16:32:44 BuiltIn
Container Instance 8af8f826-edcb-4178-b35f-851ea6fea615 Azure Container Instance container group should deploy into a virtual network Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (1.0.0 > 2.0.0) 2022-07-15 16:32:44 BuiltIn
Container Registry 42781ec6-6127-4c30-bdfa-fb423a0047d3 Container registries should have ARM audience token authentication disabled. Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-07-15 16:32:44 BuiltIn
App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.1 > 1.0.2) 2022-07-15 16:32:44 BuiltIn
Network 2d21331d-a4c2-4def-a9ad-ee4e1e023beb App Service apps should use a virtual network service endpoint Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-15 16:32:44 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2022-07-08 16:32:07 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.2.0 > 6.2.1) 2022-07-08 16:32:07 BuiltIn
Internet of Things 9ace2dbc-4b71-48b6-b2a7-428b0b2e3944 IoT Central should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your IoT Central application instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/iotcentral-network-security-using-pe. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-07-08 16:32:07 BuiltIn
Monitoring 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (2.0.1 > 2.1.0) 2022-07-08 16:32:07 BuiltIn
API Management 549814b6-3212-4203-bdc8-1548d342fb67 API Management minimum API version should be set to 2019-12-01 or higher To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-08 16:32:07 BuiltIn
Internet of Things 5b9d063f-c5fd-4750-a489-1258d1fefcbf Configure Azure Device Update for IoT Hub accounts with private endpoint A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Contributor
Network Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-07-08 16:32:07 BuiltIn
Azure Databricks 0e7849de-b939-4c50-ab48-fc6b0f5eeba2 Azure Databricks Workspaces should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-07-08 16:32:07 BuiltIn
Guest Configuration 828ba269-bf7f-4082-83dd-633417bc391d Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-07-08 16:32:07 BuiltIn
Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (5.0.3-preview > 6.0.0-preview) 2022-07-08 16:32:07 BuiltIn
Internet of Things c854b0f0-02d0-4f94-9b42-fd175fbd4d49 Deploy - Configure IoT Central with private endpoints A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT Central to allow services inside your virtual network to reach IoT Central without requiring traffic to be sent to IoT Central's public endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Contributor
Network Contributor
add
 new Policy 2022-07-08 16:32:07 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2022-07-08 16:32:07 BuiltIn
API Management ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 API Management APIs should use only encrypted protocols To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (2.0.0 > 2.0.1) 2022-07-08 16:32:07 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.2.0 > 7.0.0) 2022-07-08 16:32:07 BuiltIn
Internet of Things d627d7c6-ded5-481a-8f2e-7e16b1e6faf6 Deploy - Configure IoT Central to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Central private endpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Contributor
Network Contributor
add
 new Policy 2022-07-08 16:32:07 BuiltIn
Monitoring 69af7d4a-7b18-4044-93a9-2651498ef203 Configure Log Analytics extension on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (2.0.1 > 2.1.0) 2022-07-08 16:32:07 BuiltIn
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.1.0 > 7.0.0) 2022-07-08 16:32:07 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.2.1 > 5.0.0) 2022-07-08 16:32:07 BuiltIn
API Management c15dcc82-b93c-4dcb-9332-fbf121685b54 API Management calls to API backends should be authenticated Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (1.0.0 > 1.0.1) 2022-07-08 16:32:07 BuiltIn
Internet of Things d02e48d5-28d9-40d3-8ab8-301932a6f9cb Modify - Configure IoT Central to disable public network access Disabling the public network access property improves security by ensuring your IoT Central can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2022-07-08 16:32:07 BuiltIn
Security Center ffb6f416-7bd2-4488-8828-56585fef2be9 Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (4.0.1 > 4.1.0) 2022-07-08 16:32:07 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.3.1 > 4.0.0) 2022-07-08 16:32:07 BuiltIn
API Management 92bb331d-ac71-416a-8c91-02f2cb734ce4 API Management calls to API backends should not bypass certificate thumbprint or name validation To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (1.0.0 > 1.0.1) 2022-07-08 16:32:07 BuiltIn
API Management f1cc7827-022c-473e-836e-5a51cae0b249 API Management secret named values should be stored in Azure Key Vault Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (1.0.0 > 1.0.1) 2022-07-08 16:32:07 BuiltIn
Network 632d3993-e2c0-44ea-a7db-2eca131f356d [Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway This policy is deprecated because sometimes it is impractical to enable all WAF rules. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-07-08 16:32:07 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Major, suffix remains equal (6.1.2-preview > 7.0.0-preview) 2022-07-08 16:32:07 BuiltIn
API Management b741306c-968e-4b67-b916-5675e5c709f4 API Management direct management endpoint should not be enabled The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (1.0.0 > 1.0.1) 2022-07-08 16:32:07 BuiltIn
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.1.0 > 7.0.0) 2022-07-08 16:32:07 BuiltIn
Fluid Relay 46388f67-373c-4018-98d3-2b83172dd13a Fluid Relay should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Fluid Relay server. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Learn more at https://docs.microsoft.com/azure/azure-fluid-relay/concepts/customer-managed-keys. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-07-08 16:32:07 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, suffix remains equal (1.0.3-preview > 2.0.0-preview) 2022-07-08 16:32:07 BuiltIn
Security Center cdfcce10-4578-4ecd-9703-530938e4abcb Deploy export to Event Hub for Microsoft Defender for Cloud data Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (4.0.1 > 4.1.0) 2022-07-08 16:32:07 BuiltIn
Internet of Things cd870362-211d-4cad-9ad9-11e5ea4ebbc1 Public network access should be disabled for IoT Central To improve the security of IoT Central, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/iotcentral-restrict-public-access. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-07-08 16:32:07 BuiltIn
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.1 > 1.0.2) 2022-07-08 16:32:07 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.2.1 > 5.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc Function apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 8c122334-9d20-4eb8-89ea-ac9a705b74ae App Service apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 496223c3-ad65-4ecd-878a-bae78737e9ed App Service apps that use Java should use a specified 'Java version' Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 399b2637-a50f-4f95-96f8-3a145476eb15 Function apps should require FTPS only Enable FTPS enforcement for enhanced security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 687aa49d-0982-40f8-bf6b-66d1da97a04b App Service apps should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e [Deprecated]: Latest TLS version should be used in your API App Upgrade to the latest TLS version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use the latest TLS version', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated) 2022-07-01 16:32:34 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.2.1 > 5.0.0) 2022-07-01 16:32:34 BuiltIn
App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 95bccee9-a7f8-4bec-9ee9-62c3473701fc App Service apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-07-01 16:32:34 BuiltIn
App Service eaebaea7-8013-4ceb-9d14-7eb32271373c [Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
 Major (1.0.1 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 7008174a-fd10-4ef0-817e-fc820a951d73 App Service apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (3.0.0 > 4.0.0) 2022-07-01 16:32:34 BuiltIn
Kubernetes 6c66c325-74c8-42fd-a286-a74b0e2939d8 Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service fb74e86f-d351-4b8d-b034-93da7391c01f App Service Environment should have internal encryption enabled Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b App Service apps should require FTPS only Enable FTPS enforcement for enhanced security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 324c7761-08db-4474-9661-d1039abc92ee [Deprecated]: API apps should use an Azure file share for its content directory The content directory of an API app should be located on an Azure file share. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use an Azure file shares for its content directory', which is scoped to include API apps in addition to Web Apps. Default
Audit
Allowed
Audit, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
App Service 358c20a6-3f9e-4f0e-97ff-c6ce485e2aac [Deprecated]: CORS should not allow every resource to access your API App Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should not have CORS configured to allow every resource to access your apps', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
App Service d6545c6b-dd9d-4265-91e6-0b451e2f1c50 App Service Environment should have TLS 1.0 and 1.1 disabled TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 72d04c29-f87d-4575-9731-419ff16a2757 App Service apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 2b9ad585-36bc-4615-b300-fd4435808332 App Service apps should use managed identity Use a managed identity for enhanced authentication security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service app slots to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 7238174a-fd10-4ef0-817e-fc820a951d73 Function apps that use Python should use a specified 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (3.0.0 > 4.0.0) 2022-07-01 16:32:34 BuiltIn
App Service b318f84a-b872-429b-ac6d-a01b96814452 Configure App Service apps to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 0e60b895-3786-45da-8377-9c6b4b6ac5f9 Function apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, new suffix: preview (5.0.2 > 5.0.3-preview) 2022-07-01 16:32:34 BuiltIn
App Service c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 Function apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 991310cd-e9f3-47bc-b7b6-f57b557d07db [Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use latest 'HTTP Version'', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.1.1 > 4.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 0c192fe8-9cbb-4516-85b3-0ade8bd03886 [Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have 'Client Certificates (Incoming client certificates)' enabled', which is scoped to include API apps in addition to Web Apps. Default
Audit
Allowed
Audit, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.1 > 6.0.2) 2022-07-01 16:32:34 BuiltIn
App Service cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service apps should have remote debugging turned off Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.2.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 5bb220d9-2698-4ee4-8404-b9c30c9df609 [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates. Default
Disabled
Allowed
Audit, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 0820b7b9-23aa-4725-a1ce-ae4558f718e5 Function apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
App Service c4d441f8-f9d9-4a9e-9cef-e82117cb3eef [Deprecated]: Managed identity should be used in your API App Use a managed identity for enhanced authentication security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use managed identity', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
App Service dcbc65aa-59f3-4239-8978-3bb869d82604 App Service apps should use an Azure file share for its content directory The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (7.2.0 > 8.0.0) 2022-07-01 16:32:34 BuiltIn
App Service e2c1c086-2d84-4019-bff3-c44ccd95113c Function apps should use latest 'HTTP Version' Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 5744710e-cc2f-4ee8-8809-3b11e89f4bc9 App Service apps should not have CORS configured to allow every resource to access your apps Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 0da106f2-4ca3-48e8-bc85-c638fe6aea8f Function apps should use managed identity Use a managed identity for enhanced authentication security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-07-01 16:32:34 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.1 > 5.0.2) 2022-07-01 16:32:34 BuiltIn
App Service 74c3584d-afae-46f7-a20a-6f8adba71a16 [Deprecated]: API apps that use Python should use the latest 'Python version' Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
App Service f9d614c5-c173-4d56-95a7-b4437057d193 Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Patch, new suffix: preview (6.1.1 > 6.1.2-preview) 2022-07-01 16:32:34 BuiltIn
App Service c4ebc54a-46e1-481a-bee2-d4411e95d828 [Deprecated]: Authentication should be enabled on your API app Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps should have authentication enabled', which is scoped to include API apps in addition to Web apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
App Service 4d0bc837-6eff-477e-9ecd-33bf8d4212a5 Function apps should use an Azure file share for its content directory The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default
Audit
Allowed
Audit, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-07-01 16:32:34 BuiltIn
App Service 91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-07-01 16:32:34 BuiltIn
App Service 9a1b8c48-453a-4044-86c3-d8bfd823e4f5 [Deprecated]: FTPS only should be required in your API App Enable FTPS enforcement for enhanced security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should require FTPS only', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
App Service 88999f4c-376a-45c8-bcb3-4058f713cf39 [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Java should use the latest 'Java version'', which is scoped to include API apps in addition to Web apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
App Service e9c8d085-d9cc-4b17-9cdc-059f1f01f19e [Deprecated]: Remote debugging should be turned off for API Apps Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have remote debugging turned off', which is scoped to include API apps in addition to Web Apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-07-01 16:32:34 BuiltIn
Security Center 73d6ab6c-2475-4850-afd6-43795f3492ef Deploy Workflow Automation for Microsoft Defender for Cloud recommendations Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major (4.0.0 > 5.0.0) 2022-06-24 19:15:47 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (8.0.0 > 9.0.0) 2022-06-24 19:15:47 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (8.0.0 > 9.0.0) 2022-06-24 19:15:47 BuiltIn
Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed
deployIfNotExists 		count: 001
Virtual Machine Contributor
change
 Major (2.0.0 > 3.0.0) 2022-06-24 19:15:47 BuiltIn
Security Center 509122b9-ddd9-47ba-a5f1-d0dac20be63c Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major (4.0.0 > 5.0.0) 2022-06-24 19:15:47 BuiltIn
API Management ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 API Management APIs should use only encrypted protocols To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (1.0.0 > 2.0.0) 2022-06-24 19:15:47 BuiltIn
Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default
Audit
Allowed
Audit, Disabled
change
 Patch, old suffix: preview (1.0.2-preview > 1.0.3) 2022-06-24 19:15:47 BuiltIn
Security Center cdfcce10-4578-4ecd-9703-530938e4abcb Deploy export to Event Hub for Microsoft Defender for Cloud data Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Patch (4.0.0 > 4.0.1) 2022-06-24 19:15:47 BuiltIn
Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, old suffix: preview (5.0.1-preview > 5.0.2) 2022-06-24 19:15:47 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (8.0.0 > 9.0.0) 2022-06-24 19:15:47 BuiltIn
Monitoring 1c210e94-a481-4beb-95fa-1571b434fb04 Deploy - Configure Dependency agent to be enabled on Windows virtual machines Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (3.0.0 > 3.1.0) 2022-06-24 19:15:47 BuiltIn
Kubernetes 46238e2f-3f6f-4589-9f3f-77bed4116e67 Azure Kubernetes Clusters should use Azure CNI Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-06-24 19:15:47 BuiltIn
Monitoring 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (3.0.0 > 3.1.0) 2022-06-24 19:15:47 BuiltIn
Security Center ffb6f416-7bd2-4488-8828-56585fef2be9 Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Patch (4.0.0 > 4.0.1) 2022-06-24 19:15:47 BuiltIn
Guest Configuration f40c7c00-b4e3-4068-a315-5fe81347a904 [Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
add
 new Policy 2022-06-24 19:15:47 BuiltIn
Security Center f1525828-9a90-4fcf-be48-268cdd02361e Deploy Workflow Automation for Microsoft Defender for Cloud alerts Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major (4.0.0 > 5.0.0) 2022-06-24 19:15:47 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Patch, old suffix: preview (3.1.0-preview > 3.1.1) 2022-06-24 19:15:47 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (8.0.0 > 9.0.0) 2022-06-24 19:15:47 BuiltIn
Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed
deployIfNotExists 		count: 001
Log Analytics Contributor
change
 Major (2.0.0 > 3.0.0) 2022-06-24 19:15:47 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Patch, old suffix: preview (6.1.0-preview > 6.1.1) 2022-06-24 19:15:47 BuiltIn
Monitoring Deploy-Diagnostics-MlWorkspace [Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-06-17 17:16:31 ALZ
Storage Deploy-Storage-sslEnforcement Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Storage Account Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-06-17 17:16:31 ALZ
Monitoring Deploy-Diagnostics-WVDAppGroup [Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-06-17 17:16:31 ALZ
Monitoring Deploy-Diagnostics-AVDScalingPlans [Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-06-17 17:16:31 ALZ
Monitoring Deploy-Diagnostics-WVDHostPools [Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-06-17 17:16:31 ALZ
Monitoring Deploy-Diagnostics-Bastion [Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-06-17 17:16:31 ALZ
Machine Learning Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess Deny public access of Azure Machine Learning clusters via SSH Deny public access of Azure Machine Learning clusters via SSH. Default
Deny
Allowed
Audit, Disabled, Deny
change
 Minor (1.0.0 > 1.1.0) 2022-06-17 17:16:31 ALZ
Monitoring Deploy-Diagnostics-WVDWorkspace [Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-06-17 17:16:31 ALZ
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.3.0 > 3.3.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.1 > 6.0.2) 2022-06-17 16:31:08 BuiltIn
Container Registry d0793b48-0edc-4296-a390-4c75d1bdfd71 Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.1.0 > 2.0.0) 2022-06-17 16:31:08 BuiltIn
API Management f1cc7827-022c-473e-836e-5a51cae0b249 API Management secret named values should be stored in Azure Key Vault Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-06-17 16:31:08 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.0 > 3.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.0 > 7.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.1.0 > 2.0.0) 2022-06-17 16:31:08 BuiltIn
API Management 92bb331d-ac71-416a-8c91-02f2cb734ce4 API Management calls to API backends should not bypass certificate thumbprint or name validation To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-06-17 16:31:08 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.0 > 3.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.2.0 > 4.2.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.2.0 > 4.0.1) 2022-06-17 16:31:08 BuiltIn
API Management 3aa03346-d8c5-4994-a5bc-7652c2a2aef1 API Management subscriptions should not be scoped to all APIs API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-06-17 16:31:08 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2022-06-17 16:31:08 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.1.0 > 3.1.1) 2022-06-17 16:31:08 BuiltIn
API Management c15dcc82-b93c-4dcb-9332-fbf121685b54 API Management calls to API backends should be authenticated Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-06-17 16:31:08 BuiltIn
API Management b741306c-968e-4b67-b916-5675e5c709f4 API Management direct management endpoint should not be enabled The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-06-17 16:31:08 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2022-06-17 16:31:08 BuiltIn
API Management 549814b6-3212-4203-bdc8-1548d342fb67 API Management minimum API version should be set to 2019-12-01 or higher To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-06-17 16:31:08 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (7.2.0 > 8.0.0) 2022-06-17 16:31:08 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.2.0 > 4.2.1) 2022-06-17 16:31:08 BuiltIn
API Management ee7495e7-3ba7-40b6-bfee-c29e22cc75d4 API Management APIs should use only encrypted protocols To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-06-17 16:31:08 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.2.0 > 2.0.0) 2022-06-17 16:31:08 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.2.0 > 6.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2022-06-17 16:31:08 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.2.0 > 4.2.1) 2022-06-17 16:31:08 BuiltIn
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled or public network access disabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs or disable public network access for your key vault so that it's not accessible over the public internet. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security and https://aka.ms/akvprivatelink Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, old suffix: preview (2.0.0-preview > 3.0.0) 2022-06-10 16:31:21 BuiltIn
Monitoring 1c210e94-a481-4beb-95fa-1571b434fb04 Deploy - Configure Dependency agent to be enabled on Windows virtual machines Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Major (2.1.0 > 3.0.0) 2022-06-10 16:31:21 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2022-06-10 16:31:21 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (7.1.0 > 8.0.0) 2022-06-10 16:31:21 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.2.0 > 5.0.0) 2022-06-10 16:31:21 BuiltIn
Monitoring 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (2.1.0 > 3.0.0) 2022-06-10 16:31:21 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) 2022-06-10 16:31:21 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (6.0.1-preview > 6.1.0-preview) 2022-06-10 16:31:21 BuiltIn
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
 Major (2.1.1 > 3.0.0) 2022-06-10 16:31:21 BuiltIn
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-06-10 16:31:21 BuiltIn
Key Vault ac673a9a-f77d-4846-b2d8-a57f8e1c01dc Configure key vaults to enable firewall Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default
Modify
Allowed
Modify, Disabled 		count: 001
Key Vault Contributor
change
 Minor, old suffix: preview (1.0.0-preview > 1.1.1) 2022-06-10 16:31:21 BuiltIn
Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Major (2.1.1 > 3.0.0) 2022-06-10 16:31:21 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview) 2022-06-10 16:31:21 BuiltIn
Key Vault 405c5871-3e91-4644-8a63-58e19d68ff5b Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-06-10 16:31:21 BuiltIn
Storage a06d0189-92e8-4dba-b0c4-08d7669fce7d Configure storage accounts to disable public network access To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Storage Account Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-06-10 16:31:21 BuiltIn
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
 Major (1.0.1 > 2.0.0) 2022-06-10 16:31:21 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.2.0 > 4.0.0) 2022-06-10 16:31:21 BuiltIn
Storage b2982f36-99f2-4db5-8eff-283140c09693 Storage accounts should disable public network access To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-06-10 16:31:21 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (2.1.0 > 3.0.0) 2022-06-10 16:31:21 BuiltIn
Security Center 4eb909e7-6d64-656d-6465-2eeb297a1625 [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) 2022-06-07 16:30:19 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-06-07 16:30:19 BuiltIn
Guest Configuration 70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f [Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-06-07 16:30:19 BuiltIn
Security Center c15c5978-ab6e-4599-a1c3-90a7918f5371 [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview) 2022-06-07 16:30:19 BuiltIn
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-06-07 16:30:19 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (2.2.0 > 3.0.0) 2022-06-07 16:30:19 BuiltIn
Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-06-07 16:30:19 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, new suffix: preview (1.0.0 > 1.0.1-preview) 2022-06-07 16:30:19 BuiltIn
App Service 6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (1.0.0 > 2.0.0) 2022-06-07 16:30:19 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-06-07 16:30:19 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2022-06-07 16:30:19 BuiltIn
App Service a4af4a39-4135-47fb-b175-47fbdf85311d App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (1.0.0 > 2.0.0) 2022-06-07 16:30:19 BuiltIn
Security Center 37c043a6-6d64-656d-6465-b362dfeb354a [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) 2022-06-07 16:30:19 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (5.0.0-preview > 6.0.1-preview) 2022-06-07 16:30:19 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview) 2022-06-07 16:30:19 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-06-07 16:30:19 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) 2022-06-07 16:30:19 BuiltIn
Security Center aba46665-c3a7-4319-ace1-a0282deebac2 [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-06-07 16:30:19 BuiltIn
Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-06-07 16:30:19 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-06-07 16:30:19 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) 2022-06-07 16:30:19 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
change
 Patch, new suffix: preview (1.0.0 > 1.0.1-preview) 2022-06-07 16:30:19 BuiltIn
Security Center d30025d0-6d64-656d-6465-67688881b632 [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) 2022-06-07 16:30:19 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.1.0 > 1.2.0) 2022-06-07 16:30:19 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-06-07 16:30:19 BuiltIn
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-06-07 16:30:19 BuiltIn
Security Center ac076320-ddcf-4066-b451-6154267e8ad2 Enable Microsoft Defender for Cloud on your subscription Identifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features. Subscriptions already monitored will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task. Fixed
deployIfNotExists 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2022-06-07 16:30:19 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-06-07 16:30:19 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-06-07 16:30:19 BuiltIn
App Service b7ddfbdc-1260-477d-91fd-98bd9be789a6 [Deprecated]: API App should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should only be accessible over HTTPS', which is scoped to include API apps in addition to Web Apps. Default
Audit
Allowed
Audit, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-06-07 16:30:19 BuiltIn
Security Center 1ec9c2c2-6d64-656d-6465-3ec3309b8579 [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines Deploys Microsoft Defender for Endpoint on applicable Windows VM images. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) 2022-06-07 16:30:19 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Minor, suffix remains equal (3.0.3-preview > 3.1.0-preview) 2022-06-07 16:30:19 BuiltIn
Guest Configuration e79ffbda-ff85-465d-ab8e-7e58a557660f [Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-06-07 16:30:19 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.2.0 > 4.0.0) 2022-06-07 16:30:19 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (5.0.1-preview > 5.1.1-preview) 2022-06-07 16:30:19 BuiltIn
Security Center 3b1a8e0a-b2e1-48be-9365-28be2fbef550 [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-06-07 16:30:19 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2022-06-07 16:30:19 BuiltIn
Storage 90bd4cb3-9f59-45f7-a6ca-f69db2726671 Configure a private DNS Zone ID for dfs_secondary groupID Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Compute 2835b622-407b-4114-9198-6f7064cbe0dc Deploy default Microsoft IaaSAntimalware extension for Windows Server This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension. Fixed
deployIfNotExists 		count: 001
Virtual Machine Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-05-27 20:20:35 BuiltIn
Storage bcff79fb-2b0d-47c9-97e5-3023479b00d1 Configure a private DNS Zone ID for queue groupID Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Security Center c15c5978-ab6e-4599-a1c3-90a7918f5371 [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2022-05-27 20:20:35 BuiltIn
Compute 9b597639-28e4-48eb-b506-56b05d366257 Microsoft IaaSAntimalware extension should be deployed on Windows servers This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-05-27 20:20:35 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.2.0 > 5.0.0) 2022-05-27 20:20:35 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (5.2.0 > 6.0.0) 2022-05-27 20:20:35 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (5.1.0 > 6.0.0) 2022-05-27 20:20:35 BuiltIn
Storage da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6 Configure a private DNS Zone ID for queue_secondary groupID Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.2.0 > 5.0.0) 2022-05-27 20:20:35 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.2.0 > 5.0.0) 2022-05-27 20:20:35 BuiltIn
Storage 9adab2a5-05ba-4fbd-831a-5bf958d04218 Configure a private DNS Zone ID for web groupID Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Storage d847d34b-9337-4e2d-99a5-767e5ac9c582 Configure a private DNS Zone ID for blob_secondary groupID Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Storage d19ae5f1-b303-4b82-9ca8-7682749faf0c Configure a private DNS Zone ID for web_secondary groupID Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Storage 6df98d03-368a-4438-8730-a93c4d7693d6 Configure a private DNS Zone ID for file groupID Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Storage b2982f36-99f2-4db5-8eff-283140c09693 Storage accounts should disable public network access To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Storage 83c6fe0f-2316-444a-99a1-1ecd8a7872ca Configure a private DNS Zone ID for dfs groupID Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.1.0 > 4.0.0) 2022-05-27 20:20:35 BuiltIn
Storage 028bbd88-e9b5-461f-9424-a1b63a7bee1a Configure a private DNS Zone ID for table groupID Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Container Apps 8b346db6-85af-419b-8557-92cee2c0f9bb Container App environments should use network injection Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Patch (1.0.0 > 1.0.1) 2022-05-27 20:20:35 BuiltIn
Storage c1d634a5-f73d-4cdd-889f-2cc7006eb47f Configure a private DNS Zone ID for table_secondary groupID Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.3.0 > 7.0.0) 2022-05-27 20:20:35 BuiltIn
Guest Configuration 6141c932-9384-44c6-a395-59e4c057d7c9 Configure time zone on Windows machines. This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed
deployIfNotExists 		count: 001
Guest Configuration Resource Contributor
change
 Major (1.1.0 > 2.0.0) 2022-05-27 20:20:35 BuiltIn
Storage a06d0189-92e8-4dba-b0c4-08d7669fce7d Configure storage accounts to disable public network access To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Modify
Allowed
Modify, Disabled 		count: 001
Storage Account Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Maps 50553764-7777-43cf-bf12-8647e0b9ba01 CORS should not allow every resource to access your map account. Cross-Origin Resource Sharing (CORS) should not allow all domains to access your map account. Allow only required domains to interact with your map account. Default
Audit
Allowed
Disabled, Audit, Deny
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Storage 75973700-529f-4de2-b794-fb9b6781b6b0 Configure a private DNS Zone ID for blob groupID Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-05-27 20:20:35 BuiltIn
Machine Learning 438c38d2-3772-465a-a9cc-7a6666a275ce Azure Machine Learning Workspaces should disable public network access Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.3.0 > 2.0.0) 2022-05-23 08:52:47 BuiltIn
Attestation 5e7e928c-8693-4a23-9bf3-1c77b9a8fe97 Azure Attestation providers should disable public network access To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-23 08:52:47 BuiltIn
Web PubSub eb907f70-7514-460d-92b3-a5ae93b4f917 Azure Web PubSub Service should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-05-23 08:52:47 BuiltIn
Key Vault 86810a98-8e91-4a44-8386-ec66d0de5d57 [Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-23 08:52:47 BuiltIn
Key Vault 1d478a74-21ba-4b9f-9d8f-8e6fced0eec5 [Preview]: Azure Key Vault Managed HSM keys should have an expiration date To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-23 08:52:47 BuiltIn
SignalR 2393d2cf-a342-44cd-a2e2-fe0188fd1234 Azure SignalR Service should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-05-23 08:52:47 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
add
 new Policy 2022-05-23 08:52:47 BuiltIn
Key Vault ad27588c-0198-4c84-81ef-08efd0274653 [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-23 08:52:47 BuiltIn
Key Vault e58fd0c1-feac-4d12-92db-0a7e9421f53e [Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-23 08:52:47 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 002
Contributor
User Access Administrator
add
 new Policy 2022-05-23 08:52:47 BuiltIn
Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-23 08:52:47 BuiltIn
Container Apps d074ddf8-01a5-4b5e-a2b8-964aed452c0a Container Apps environment should disable public network access Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-16 16:31:13 BuiltIn
Web PubSub ee8a7be2-e9b5-47b9-9d37-d9b141ea78a4 Azure Web PubSub Service should enable diagnostic logs Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-05-16 16:31:13 BuiltIn
SQL b52376f7-9612-48a1-81cd-1ffe4b61032c Public network access should be disabled for PostgreSQL servers Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.2 > 2.0.0) 2022-05-16 16:31:13 BuiltIn
SignalR d9f1f9a9-8795-49f9-9e7b-e11db14caeb2 Azure SignalR Service should enable diagnostic logs Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-05-16 16:31:13 BuiltIn
Internet of Things a222b93a-e6c2-4c01-817f-21e092455b2a Configure Azure Device Update for IoT Hub accounts to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for Device Updatefor IoT Hub private endpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Contributor
Network Contributor
add
 new Policy 2022-05-16 16:31:13 BuiltIn
Container Apps 2b585559-a78e-4cc4-b1aa-fb169d2f6b96 Authentication should be enabled on Container Apps Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-05-16 16:31:13 BuiltIn
SQL d9844e8a-1437-4aeb-a32c-0c992f056095 Public network access should be disabled for MySQL servers Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.2 > 2.0.0) 2022-05-16 16:31:13 BuiltIn
Security Center 13ce0167-8ca6-4048-8e6b-f996402e3c1b Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Major, old suffix: preview (3.1.0-preview > 4.0.0) 2022-05-16 16:31:13 BuiltIn
Container Apps b874ab2d-72dd-47f1-8cb5-4a306478a4e7 Managed Identity should be enabled for Container Apps Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-16 16:31:13 BuiltIn
Bot Service 5e8168db-69e3-4beb-9822-57cb59202a9d Bot Service should have public network access disabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-16 16:31:13 BuiltIn
Container Apps 783ea2a8-b8fd-46be-896a-9ae79643a0b1 Container Apps should disable external network access Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-16 16:31:13 BuiltIn
SQL fdccbe47-f3e3-4213-ad5d-ea459b2fa077 Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.2 > 2.0.0) 2022-05-16 16:31:13 BuiltIn
Internet of Things 510ec8b2-cb9e-461d-b7f3-6b8678c31182 Public network access for Azure Device Update for IoT Hub accounts should be disabled Disabling the public network access property improves security by ensuring your Azure Device Update for IoT Hub accounts can only be accessed from a private endpoint. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-16 16:31:13 BuiltIn
Container Apps 0e80e269-43a4-4ae9-b5bc-178126b8a5cb Container Apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-16 16:31:13 BuiltIn
Container Apps 7c9f3fbb-739d-4844-8e42-97e3be6450e0 Container App should configure with volume mount Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-05-16 16:31:13 BuiltIn
Internet of Things 27573ebe-7ef3-4472-a8e1-33aef9ea65c5 Configure Azure Device Update for IoT Hub accounts to disable public network access Disabling the public network access property improves security by ensuring your Device Update for IoT Hub can only be accessed from a private endpoint. This policy disables public network access on Device Update for IoT Hub resources. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2022-05-16 16:31:13 BuiltIn
Internet of Things 5b9d063f-c5fd-4750-a489-1258d1fefcbf Configure Azure Device Update for IoT Hub accounts with private endpoint A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Contributor
Network Contributor
add
 new Policy 2022-05-16 16:31:13 BuiltIn
Security Center 13ce0167-8ca6-4048-8e6b-f996402e3c1b Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview) 2022-05-06 16:29:23 BuiltIn
Container Apps 8b346db6-85af-419b-8557-92cee2c0f9bb Container App environments should use network injection Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2022-05-06 16:29:23 BuiltIn
Security Center 6646a0bd-e110-40ca-bb97-84fcee63c414 [Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates [Deprecated: With Cloud Services (classic) retiring (see https://azure.microsoft.com/updates/cloud-services-retirement-announcement), there will no longer be a need for this assessment as management certificates will be obsolete.] Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2022-05-06 16:29:23 BuiltIn
Guest Configuration 50c52fc9-cb21-4d99-9031-d6a0c613361c [Preview]: Windows machines should meet STIG compliance requirements for Azure compute Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirements for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-05-06 16:29:23 BuiltIn
SQL 86a912f6-9a06-4e26-b447-11b16ba8659f Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL DB Contributor
change
 Minor (2.0.0 > 2.1.0) 2022-05-06 16:29:23 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.1 > 2.0.0) 2022-05-06 16:29:23 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.1 > 2.0.0) 2022-05-06 16:29:23 BuiltIn
Kubernetes da6e2401-19da-4532-9141-fb8fbde08431 Azure Kubernetes Service Clusters should use managed identities Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-05-06 16:29:23 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (1.0.0 > 2.0.0) 2022-05-06 16:29:23 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-05-06 16:29:23 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (1.1.1 > 2.0.0) 2022-05-06 16:29:23 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (3.0.1 > 4.0.0) 2022-05-06 16:29:23 BuiltIn
Machine Learning 438c38d2-3772-465a-a9cc-7a6666a275ce Azure Machine Learning Workspaces should disable public network access Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.2.0 > 1.3.0) 2022-05-06 16:29:23 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (1.0.1 > 2.0.0) 2022-05-06 16:29:23 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-05-06 16:29:23 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (1.0.0 > 2.0.0) 2022-05-06 16:29:23 BuiltIn
Lab Services e8a5a3eb-1ab6-4657-a701-7ae432cf14e1 Lab Services should not allow template virtual machines for labs This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-04-29 18:06:01 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.1.0 > 4.2.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.1.0 > 4.2.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.1.0 > 3.2.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes 6c66c325-74c8-42fd-a286-a74b0e2939d8 Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.0 > 2.0.0) 2022-04-29 18:06:01 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (7.1.0 > 8.0.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-04-29 18:06:01 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.1.0 > 4.2.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.1.0 > 4.2.0) 2022-04-29 18:06:01 BuiltIn
SignalR 53503636-bcc9-4748-9663-5348217f160f [Deprecated]: Azure SignalR Service should use private link The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated) 2022-04-29 18:06:01 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-04-29 18:06:01 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.1.0 > 5.2.0) 2022-04-29 18:06:01 BuiltIn
Synapse 8b5c654c-fb07-471b-aa8f-15fea733f140 Configure Azure Synapse Workspace Dedicated SQL minimum TLS version Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2022-04-29 18:06:01 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.1.0 > 3.2.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.1.0 > 7.2.0) 2022-04-29 18:06:01 BuiltIn
Synapse cb3738a6-82a2-4a18-b87b-15217b9deff4 Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-04-29 18:06:01 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.1.0 > 4.2.0) 2022-04-29 18:06:01 BuiltIn
Lab Services 3e13d504-9083-4912-b935-39a085db2249 Lab Services should restrict allowed virtual machine SKU sizes This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-04-29 18:06:01 BuiltIn
Lab Services a6e9cf2d-7d76-440e-b795-8da246bd3aab Lab Services should enable all options for auto shutdown This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-04-29 18:06:01 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Azure Connected Machine Resource Administrator
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-04-29 18:06:01 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.2.0 > 6.3.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.1.0 > 7.2.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.1.0 > 4.2.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.2.0 > 3.3.0) 2022-04-29 18:06:01 BuiltIn
Lab Services 0fd9915e-cab3-4f24-b200-6e20e1aa276a Lab Services should require non-admin user for labs This policy requires non-admin user accounts to be created for the labs managed through lab-services. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-04-29 18:06:01 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.1.0 > 3.2.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.1.0 > 6.2.0) 2022-04-29 18:06:01 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.1.0 > 4.2.0) 2022-04-29 18:06:01 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (7.1.0 > 8.0.0) 2022-04-29 18:06:01 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (7.1.0 > 8.0.0) 2022-04-29 18:06:01 BuiltIn
Web PubSub 52630df9-ca7e-442b-853b-c6ce548b31a2 [Deprecated]: Azure Web PubSub Service should use private link The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/eb907f70-7514-460d-92b3-a5ae93b4f917 instead. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, new suffix: deprecated (1.0.0 > 1.0.1-deprecated) 2022-04-29 18:06:01 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Major, suffix remains equal (5.1.0-preview > 6.0.0-preview) 2022-04-29 18:06:01 BuiltIn
Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, suffix remains equal (5.0.0-preview > 5.0.1-preview) 2022-04-29 18:06:01 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.1.0 > 4.2.0) 2022-04-29 18:06:01 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (7.1.0 > 8.0.0) 2022-04-29 18:06:01 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-04-22 19:50:54 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-04-22 19:50:54 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-04-22 19:50:54 BuiltIn
Storage fe83a0eb-a853-422d-aac2-1bffd182c5d0 Storage accounts should have the specified minimum TLS version Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-04-22 19:50:54 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Major, suffix remains equal (4.1.0-preview > 5.1.0-preview) 2022-04-22 19:50:54 BuiltIn
SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-04-22 19:50:54 BuiltIn
Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-04-22 19:50:54 BuiltIn
Kubernetes 73868911-4f4a-444f-adbd-5382bf70208a Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed Open Service Mesh extension provides all standard service mesh capabilities for security, traffic management and observability of application services. Learn more here: https://aka.ms/arc-osm-doc Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Owner
add
 new Policy 2022-04-15 17:17:14 BuiltIn
Security Center d30025d0-6d64-656d-6465-67688881b632 [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-04-15 17:17:14 BuiltIn
Cache 7d092e0a-7acd-40d2-a975-dca21cae48c4 [Deprecated]: Azure Cache for Redis should reside within a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated) 2022-04-15 17:17:14 BuiltIn
Security Center 1ec9c2c2-6d64-656d-6465-3ec3309b8579 [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines Deploys Microsoft Defender for Endpoint on applicable Windows VM images. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-04-15 17:17:14 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.1.0 > 6.2.0) 2022-04-15 17:17:14 BuiltIn
Stream Analytics ea6c4923-510a-4346-be26-1894919a5b97 Stream Analytics job should use managed identity to authenticate endpoints Ensure that Stream Analytics jobs only connect to endpoints using managed identity authentication. Default
Audit
Allowed
Deny, Disabled, Audit
add
 new Policy 2022-04-15 17:17:14 BuiltIn
Security Center 4eb909e7-6d64-656d-6465-2eeb297a1625 [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-04-15 17:17:14 BuiltIn
Security Center 37c043a6-6d64-656d-6465-b362dfeb354a [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-04-15 17:17:14 BuiltIn
Network Deny-VNET-Peering-To-Non-Approved-VNETs Deny vNet peering to non-approved vNets This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope. Default
Deny
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-04-11 11:16:38 ALZ
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch (4.0.0 > 4.0.1) 2022-04-08 16:22:13 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (6.1.0 > 7.1.0) 2022-04-08 16:22:13 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2022-04-08 16:22:13 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (6.1.0 > 7.1.0) 2022-04-08 16:22:13 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch (3.0.0 > 3.0.1) 2022-04-08 16:22:13 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (6.1.0 > 7.1.0) 2022-04-08 16:22:13 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (6.1.0 > 7.1.0) 2022-04-08 16:22:13 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2022-04-08 16:22:13 BuiltIn
Monitoring 17b3de92-f710-4cf4-aa55-0e7859f1ed7b [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Contributor
Managed Identity Operator
Virtual Machine Contributor
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 3bd38f52-1833-42b2-b9aa-e1b9dcd0143b Microsoft Managed Control 1747 - Security Authorization Process Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 66632c7c-d0b3-4945-a8ae-e5c62cbea386 Microsoft Managed Control 1829 - Data Integrity And Data Integrity Board | Publish Agreements on Website Microsoft implements this Data Quality and Integrity control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (2.0.0 > 3.0.0) 2022-04-01 20:29:14 BuiltIn
Automanage b025cfb4-3702-47c2-9110-87fe0cfcc99b Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 3815d34a-187d-4f30-a9fa-5ac464e3465d Microsoft Managed Control 1736 - Information Security Resources Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 1f01608c-5f35-492d-8763-8edf0080cc38 Microsoft Managed Control 1738 - Plan Of Action And Milestones Process Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 0c92e78e-4667-44f1-8b1d-bbc784b66950 Microsoft Managed Control 1755 - Contacts With Security Groups And Associations Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance af2a93c8-e6dd-4c94-acdd-4a2eedfc478e Microsoft Managed Control 1710 - Security Functionality Verification Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance f3739612-c86c-4b2e-bbe6-0d0869aec19c Microsoft Managed Control 1803 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.0 > 6.1.0) 2022-04-01 20:29:14 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.0.2 > 4.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 3a02bf7a-8fb7-4c97-bd55-4a8592764cc8 Microsoft Managed Control 1840 - Minimization of PII Used in Testing, Training, And Research | Risk Minimization Techniques Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance dd469ae0-71a8-4adc-aafc-de6949ca3339 Microsoft Managed Control 1715 - Software & Information Integrity | Automated Response To Integrity Violations Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 44e543aa-41db-42aa-98eb-8a5eb1db53f0 Microsoft Managed Control 1712 - Software & Information Integrity Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance a4eb2ba5-62b5-4524-83f0-7e05896edc76 Microsoft Managed Control 1824 - Data Quality Microsoft implements this Data Quality and Integrity control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance d02e586f-d430-4053-b672-c14a788ad59f Microsoft Managed Control 1823 - Data Quality Microsoft implements this Data Quality and Integrity control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 05f5163b-bd90-49eb-8b6e-c1044d0b170a Microsoft Managed Control 1752 - Information Security Workforce Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance b92ae63b-4411-48ba-b5c9-5bcaef5f8d02 Microsoft Managed Control 1841 - Consent Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4f26049b-2c5a-4841-9ff3-d48a26aae475 Microsoft Managed Control 1442 - Media Sanitization And Disposal | Nondestructive Techniques Microsoft implements this Media Protection control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes c050047b-b21b-4822-8a2d-c1e37c3c0c6a Configure Kubernetes clusters with specified GitOps configuration using SSH secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.1 > 6.1.0) 2022-04-01 20:29:14 BuiltIn
Monitoring 6c53d030-cc64-46f0-906d-2bc061cd1334 Log Analytics workspaces should block log ingestion and querying from public networks Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 58f477bf-287b-43ef-ab49-dffde92130a0 Microsoft Managed Control 1816 - Privacy Reporting Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 0afb38a3-5e1c-4339-9ab4-df6a3dfc7da2 Microsoft Managed Control 1804 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 3cb4787b-2c91-4aca-bf5a-577e99411c8a Microsoft Managed Control 1825 - Data Quality | Validate PII Microsoft implements this Data Quality and Integrity control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 71c6c2b1-78c8-4e84-9d05-9bd4db116cba Microsoft Managed Control 1858 - Privacy Notice Microsoft implements this Transparency control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.0.2 > 3.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 40fcc635-52a2-4dbc-9523-80a1f4aa1de6 Microsoft Managed Control 1438 - Media Sanitization And Disposal Microsoft implements this Media Protection control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.0.3 > 4.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 38dfd8a3-5290-4099-88b7-4081f4c4d8ae Microsoft Managed Control 1416 - Remote Maintenance | Document Remote Maintenance Microsoft implements this Maintenance control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 70792197-9bfc-4813-905a-bd33993e327f Microsoft Managed Control 1509 - Position Categorization Microsoft implements this Personnel Security control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Key Vault 0a075868-4c26-42ef-914c-5bc007359560 Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) 2022-04-01 20:29:14 BuiltIn
Monitoring 6fc8115b-2008-441f-8c61-9b722c1e537f Workbooks should be saved to storage accounts that you control With bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos Default
Audit
Allowed
deny, Deny, audit, Audit, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Bot Service 6164527b-e1ee-4882-8673-572f425f5e0a Bot Service endpoint should be a valid HTTPS URI Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.1 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance d461dd50-c8fb-4ccb-93bf-61f53b44e54d Microsoft Managed Control 1742 - Critical Infrastructure Plan Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 025992d6-7fee-4137-9bbf-2ffc39c0686c Microsoft Managed Control 1709 - Security Functionality Verification Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (6.0.0 > 6.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 9834600a-668a-482c-9310-a89861b29e06 Microsoft Managed Control 1805 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance b07c9b24-729e-4e85-95fc-f224d2d08a80 Microsoft Managed Control 1429 - Media Labeling Microsoft implements this Media Protection control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4e26f8c3-4bf3-4191-b8fc-d888805101b7 Microsoft Managed Control 1001 - Access Control Policy And Procedures Requirements Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 71280b2a-8c2f-4480-b933-686c0987cfbb Microsoft Managed Control 1851 - Redress Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 05a32666-d134-4842-a8cb-5c299f4bc099 Microsoft Managed Control 1728 - Incident Handling Microsoft implements this Incident Response control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 1fa50212-51a9-471b-95cf-3a23410ec9e9 Microsoft Managed Control 1730 - Information Security Program Plan Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.0.2 > 3.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance ad2f8e61-a564-4dfd-8eaa-816f5be8cb34 Microsoft Managed Control 1569 - Acquisitions Process Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Healthcare APIs fe1c9040-c46a-4e81-9aea-c7850fbb3aa6 CORS should not allow every domain to access your FHIR Service Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. Default
Audit
Allowed
audit, Audit, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (6.0.0 > 6.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 68f837d0-8942-4b1e-9b31-be78b247bda8 Microsoft Managed Control 1070 - Wireless Access Restrictions | Disable Wireless Networking Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Stream Analytics 87ba29ef-1ab3-4d82-b763-87fcd4f531f7 Azure Stream Analytics jobs should use customer-managed keys to encrypt data Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 952a545c-6dc5-4999-aeb6-51ed27dc7ea5 Microsoft Managed Control 1854 - Inventory of Personally Identifiable Information Microsoft implements this Security control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 6519d7f3-e8a2-4ff3-a935-9a9497152ad7 Microsoft Managed Control 1441 - Media Sanitization And Disposal | Equipment Testing Microsoft implements this Media Protection control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance d39620a4-95c6-4d4f-8aa4-83c0c6a2c640 Microsoft Managed Control 1818 - Accounting of Disclosures Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
App Service 95bccee9-a7f8-4bec-9ee9-62c3473701fc App Service apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b Microsoft Managed Control 1304 - User Identification And Authentication | Local Access To Non-Privileged Accounts Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2fb740e5-cbc7-4d10-8686-d1bf826652b1 Microsoft Managed Control 1090 - Security Awareness Microsoft implements this Awareness and Training control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance aeedddb6-6bc0-42d5-809b-80048033419d Microsoft Managed Control 1413 - Remote Maintenance Microsoft implements this Maintenance control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef Microsoft Managed Control 1717 - Software & Information Integrity | Binary Or Machine Executable Code Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 1437bf9c-feef-4c82-a57a-22d1fcbcd247 Microsoft Managed Control 1872 - Information Sharing with Third Parties Microsoft implements this Use Limitation control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 91c97b44-791e-46e9-bad7-ab7c4949edbb Microsoft Managed Control 1069 - Wireless Access Restrictions | Authentication And Encryption Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance cceea882-9d83-4ca6-b30e-6a7b381a8e6a Microsoft Managed Control 1866 - Dissemination of Privacy Program Information Microsoft implements this Transparency control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2234feec-08c6-4fc9-af78-df0dcc482efd Microsoft Managed Control 1860 - Privacy Notice Microsoft implements this Transparency control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2ef3cc79-733e-48ed-ab6f-7bf439e9b406 Microsoft Managed Control 1000 - Access Control Policy And Procedures Requirements Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 76f500cc-4bca-4583-bda1-6d084dc21086 Microsoft Managed Control 1508 - Position Categorization Microsoft implements this Personnel Security control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 99deec7d-5526-472e-b07c-3645a792026a Microsoft Managed Control 1300 - User Identification And Authentication Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2e5cd188-7fa8-41fc-87ff-0ac7475ccb25 Microsoft Managed Control 1845 - Consent | Mechanisms Supporting Itemized or Tiered Consent Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.1.0 > 3.2.0) 2022-04-01 20:29:14 BuiltIn
API for FHIR 0fea8f8a-4169-495d-8307-30ec335f387d CORS should not allow every domain to access your API for FHIR Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. Default
Audit
Allowed
audit, Audit, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 86cd0591-5076-4447-aeff-2557def90353 Microsoft Managed Control 1827 - Data Integrity And Data Integrity Board Microsoft implements this Data Quality and Integrity control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 38512b01-6a68-45d6-bb97-189a9a0fbe5e Microsoft Managed Control 1849 - Individual Access Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.1 > 6.1.0) 2022-04-01 20:29:14 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.0.1 > 7.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance fb3c7f40-4c97-4fdd-94c9-e7d99b4f6e42 Microsoft Managed Control 1750 - Mission/Business Process Definition Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance c6c43097-8552-4279-8b38-7dcabff781d3 Microsoft Managed Control 1819 - Accounting of Disclosures Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (3.0.0 > 4.0.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance e12494fa-b81e-4080-af71-7dbacc2da0ec Microsoft Managed Control 1714 - Software & Information Integrity | Automated Notifications Of Integrity Violations Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Bot Service 52152f42-0dda-40d9-976e-abb1acdd611e Bot Service should have isolated mode enabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (2.0.0 > 2.1.0) 2022-04-01 20:29:14 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (6.0.0 > 6.1.0) 2022-04-01 20:29:14 BuiltIn
Key Vault 12ef42cb-9903-4e39-9c26-422d29570417 Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (2.0.1 > 2.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance f82e3639-fa2b-4e06-a786-932d8379b972 Microsoft Managed Control 1705 - Security Alerts & Advisories Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.1.2 > 6.2.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance fc933d22-04df-48ed-8f87-22a3773d4309 Microsoft Managed Control 1075 - Access Control for Portable And Mobile Systems | Full Device / Container-Based Encryption Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 5fd9ced5-18e8-4c09-91b7-3725680f8ade Microsoft Managed Control 1734 - Information Security Resources Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 3bd6a378-4173-411d-a958-dc699b0ee2fd Microsoft Managed Control 1737 - Plan Of Action And Milestones Process Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 1a437f5b-9ad6-4f28-8861-de404d511ae4 Microsoft Managed Control 1071 - Wireless Access Restrictions | Restrict Configurations By Users Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.0.3 > 4.1.0) 2022-04-01 20:29:14 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview) 2022-04-01 20:29:14 BuiltIn
Kubernetes 89f2d532-c53c-4f8f-9afa-4927b1114a0d Azure Kubernetes Service Clusters should disable Command Invoke Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.0.2 > 4.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 66a56404-7b65-4e33-b371-28d069172dd4 Microsoft Managed Control 1743 - Risk Management Strategy Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 0b1aa965-7502-41f9-92be-3e2fe7cc392a Microsoft Managed Control 1046 - Unsuccessful Logon Attempts | Purge / Wipe Mobile Device Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 51f2fa3e-cd5f-4713-a9ce-177ee7a22d48 Microsoft Managed Control 1828 - Data Integrity And Data Integrity Board Microsoft implements this Data Quality and Integrity control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance fd4a2ac8-868a-4702-a345-6c896c3361ce Microsoft Managed Control 1707 - Security Alerts & Advisories | Automated Alerts And Advisories Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 5ec0d156-53ba-4f29-8c17-1525cde54129 Microsoft Managed Control 1844 - Consent Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Monitoring d550e854-df1a-4de9-bf44-cd894b39a95e Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance ef080e67-0d1a-4f76-a0c5-fb9b0358485e Microsoft Managed Control 1089 - Security Awareness Microsoft implements this Awareness and Training control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2ce63a52-e47b-4ae2-adbb-6e40d967f9e6 Microsoft Managed Control 1414 - Remote Maintenance Microsoft implements this Maintenance control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 01524fa8-4555-48ce-ba5f-c3b8dcef5147 Microsoft Managed Control 1142 - Certification, Authorization, Security Assessment Policy And Procedures Microsoft implements this Security Assessment and Authorization control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance f5a44e7d-77a2-474e-b2e3-4e8c42ba514b Microsoft Managed Control 1729 - Information Security Program Plan Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 5b61f773-2042-46a8-b489-106d850d6d4e Microsoft Managed Control 1814 - Privacy Awareness And Training Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance cf1cad59-1012-4b55-9b80-427596ea1f4f Microsoft Managed Control 1867 - Dissemination of Privacy Program Information Microsoft implements this Transparency control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 80ca0a27-918a-4604-af9e-723a27ee51e8 Microsoft Managed Control 1303 - User Identification And Authentication | Local Access To Privileged Accounts Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Monitoring 1f68a601-6e6d-4e42-babf-3f643a047ea2 Azure Monitor Logs clusters should be encrypted with customer-managed key Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 106618ad-fe3e-49b4-bfef-01009f6770d8 Microsoft Managed Control 1820 - Accounting of Disclosures Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes a6f560f4-f582-4b67-b123-a37dcd1bf7ea Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.0.2 > 4.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 0dced7ab-9ce5-4137-93aa-14c13e06ab17 Microsoft Managed Control 1718 - Software & Information Integrity | Binary Or Machine Executable Code Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 04f5fb00-80bb-48a9-a75b-4cb4d4c97c36 Microsoft Managed Control 1572 - Acquisitions Process Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Cosmos DB 1f905d99-2ab7-462c-a6b0-f709acca6c8f Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.2 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 238cef2f-9f76-41fa-be5e-0899a7aad0d8 Microsoft Managed Control 1821 - Data Quality Microsoft implements this Data Quality and Integrity control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 79da5b09-0e7e-499e-adda-141b069c7998 Microsoft Managed Control 1510 - Position Categorization Microsoft implements this Personnel Security control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance f355d62b-39a8-4ba3-abf7-90f71cb3b000 Microsoft Managed Control 1309 - User Identification And Authentication | Acceptance Of Piv Credentials Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 20ea0798-d19e-4925-afd0-53d583815818 Microsoft Managed Control 1815 - Privacy Awareness And Training Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 1ca29e41-34ec-4e70-aba9-6248aca18c31 Microsoft Managed Control 1072 - Wireless Access Restrictions | Antennas / Transmission Power Levels Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes b2fd3e59-6390-4f2b-8247-ea676bd03e2d [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor, suffix remains equal (4.0.2-deprecated > 4.1.0-deprecated) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance a7fcf38d-bb09-4600-be7d-825046eb162a Microsoft Managed Control 1570 - Acquisitions Process Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 59a7116d-19fd-49e9-a068-dec4460b97e5 Microsoft Managed Control 1731 - Information Security Program Plan Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 17641f70-94cd-4a5d-a613-3d1143e20e34 Microsoft Managed Control 1349 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Approved Products Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 56a838e0-0a5d-49a8-ab74-bf6be81b32f5 Microsoft Managed Control 1835 - Data Retention And Disposal Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Managed Application 9db7917b-1607-4e7d-a689-bca978dd0633 Application definition for Managed Application should use customer provided storage account Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 99efece4-6828-42a4-9577-ff06bc1c4bf4 Microsoft Managed Control 1839 - Minimization of PII Used in Testing, Training, And Research Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 6c657baf-0693-455a-8bb2-7b4bdf79fd0e Microsoft Managed Control 1757 - Contacts With Security Groups And Associations Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 881299bf-2a5b-4686-a1b2-321d33679953 Microsoft Managed Control 1440 - Media Sanitization And Disposal | Review / Approve / Track / Document / Verify Microsoft implements this Media Protection control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4f3b7f51-9620-4c71-b887-48a6838c68b8 Microsoft Managed Control 1748 - Security Authorization Process Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 395736bb-aa8b-45f0-b9cc-06af26b2b1d4 Microsoft Managed Control 1810 - Privacy Requirements for Contractors And Service Providers Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 84e622c8-4bed-417c-84c6-b2fb0dd73682 Microsoft Managed Control 1307 - User Identification And Authentication | Network Access To Non-Privileged Accounts - Replay... Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.0.2 > 3.1.0) 2022-04-01 20:29:14 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Minor (6.0.0 > 6.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 1c0b3710-03dc-450a-a56a-77b85e744f0d Microsoft Managed Control 1749 - Mission/Business Process Definition Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 791cfc15-6974-42a0-9f4c-2d4b82f4a78c Microsoft Managed Control 1647 - Use of Cryptography Microsoft implements this System and Communications Protection control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance d78966ce-05c7-4967-829d-9a414ea2bc92 Microsoft Managed Control 1842 - Consent Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 669ac708-82af-46f6-8bd6-75b48247489d Microsoft Managed Control 1864 - System of Records Notices And Privacy Act Statements Microsoft implements this Transparency control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 563f2ce4-2d95-44b6-b828-275a2f3cac47 Microsoft Managed Control 1848 - Individual Access Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 0d87c70b-5012-48e9-994b-e70dd4b8def0 Microsoft Managed Control 1713 - Software & Information Integrity | Integrity Checks Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance f751cdb7-fbee-406b-969b-815d367cb9b3 Microsoft Managed Control 1591 - External Information System Services | Identification Of Functions / Ports / Protocols... Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Cosmos DB 0473574d-2d43-4217-aefe-941fcdf7e684 Azure Cosmos DB allowed locations This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.0.2 > 4.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 88ae1753-f34c-47c3-96af-dccb4ac052eb Microsoft Managed Control 1830 - Minimization of Personally Identifiable Information Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 61a1dd98-b259-4840-abd5-fbba7ee0da83 Microsoft Managed Control 1415 - Remote Maintenance Microsoft implements this Maintenance control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance b083a535-a66a-41ec-ba7f-f9498bf67cde Microsoft Managed Control 1711 - Security Functionality Verification Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.0.0 > 5.1.0) 2022-04-01 20:29:14 BuiltIn
Event Grid baf19753-7502-405f-8745-370519b20483 Deploy - Configure Azure Event Grid topics to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 58c93053-7b98-4cf0-b99f-1beb985416c2 Microsoft Managed Control 1573 - Acquisitions Process Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Patch, suffix remains equal (3.0.2-preview > 3.0.3-preview) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 3044f5dc-93dd-4da0-b25d-bb6cedde3536 Microsoft Managed Control 1862 - System of Records Notices And Privacy Act Statements Microsoft implements this Transparency control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 855ced56-417b-4d74-9d5f-dd1bc81e22d6 Microsoft Managed Control 1348 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Third-Party... Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 76ba3061-b78b-48a5-aab8-43f5ae02898d Microsoft Managed Control 1847 - Individual Access Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 131a2706-61e9-4916-a164-00e052056462 Microsoft Managed Control 1347 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Piv Credentials... Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (2.1.2 > 2.2.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 956b00aa-7977-4214-a0f5-e0428c1f9bff Microsoft Managed Control 1806 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 9d9166a8-1722-4b8f-847c-2cf3f2618b3d Microsoft Managed Control 1305 - User Identification And Authentication | Group Authentication Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 07458826-9325-4481-abaf-bc9ed043459d Microsoft Managed Control 1744 - Risk Management Strategy Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Key Vault 8e826246-c976-48f6-b03e-619bb92b3d82 Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (2.0.1 > 2.1.0) 2022-04-01 20:29:14 BuiltIn
Monitoring fa298e57-9444-42ba-bf04-86e8470e32c7 Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 9870806c-153f-4fa5-aafa-c5f5eeb72292 Microsoft Managed Control 1741 - Enterprise Architecture Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance b6747bf9-2b97-45b8-b162-3c8becb9937d Microsoft Managed Control 1419 - Remote Maintenance | Cryptographic Protection Microsoft implements this Maintenance control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Event Grid d389df0a-e0d7-4607-833c-75a6fdac2c2d Deploy - Configure Azure Event Grid domains to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 12a4a4dd-6c65-4900-9d7e-63fed5da791e Microsoft Managed Control 1834 - Data Retention And Disposal Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes 440b515e-a580-421e-abeb-b159a61ddcbc [Deprecated]: Kubernetes cluster containers should only listen on allowed ports Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor, suffix remains equal (6.1.3-deprecated > 6.2.0-deprecated) 2022-04-01 20:29:14 BuiltIn
Bot Service 51522a96-0869-4791-82f3-981000c2c67f Bot Service should be encrypted with a customer-managed key Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance c3e4fa5d-c0c4-46c4-9a13-bb9b9f0b003f Microsoft Managed Control 1865 - System of Records Notices And Privacy Act Statements | Public Website Publication Microsoft implements this Transparency control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance dce72873-c5f1-47c3-9b4f-6b8207fd5a45 Microsoft Managed Control 1439 - Media Sanitization And Disposal Microsoft implements this Media Protection control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance a36eb487-cbd1-4fe7-a3df-2efc6aa2c2b6 Microsoft Managed Control 1745 - Risk Management Strategy Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 33cfabfd-49ce-432b-b988-aff483ca3897 Microsoft Managed Control 1871 - Information Sharing with Third Parties Microsoft implements this Use Limitation control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 426f3a87-2d38-47e9-9687-c095441cd82c Microsoft Managed Control 1732 - Information Security Program Plan Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance b11c985b-f2cd-4bd7-85f4-b52426edf905 Microsoft Managed Control 1571 - Acquisitions Process Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 12718e41-af09-43b9-b6e4-7caae73b410b Microsoft Managed Control 1754 - Testing, Training, And Monitoring Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance e4df5fb7-58e9-41de-9399-f043c7a931f8 Microsoft Managed Control 1740 - Information Security Measures Of Performance Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.0.4 > 7.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 7a1e2c88-13de-4959-8ee7-47e3d74f1f48 Microsoft Managed Control 1708 - Security Functionality Verification Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Key Vault a22f4a40-01d3-4c7d-8071-da157eeff341 Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (2.0.1 > 2.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance e54c325e-42a0-4dcf-b105-046e0f6f590f Microsoft Managed Control 1716 - Software & Information Integrity | Integration Of Detection And Response Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2e0ffcf5-c19e-4e04-ad0f-2db9b15ab126 Microsoft Managed Control 1751 - Insider Threat Program Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-04-01 20:29:14 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (2.0.2 > 2.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4d1d4ce2-71ea-4578-bbb4-fe76215d45ac Microsoft Managed Control 1811 - Privacy Requirements for Contractors And Service Providers Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2d045bca-a0fd-452e-9f41-4ec33769717c Microsoft Managed Control 1068 - Wireless Access Restrictions Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 7cb8a3d2-a208-4b6f-95e8-e8f0bb85a7a6 Microsoft Managed Control 1807 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 5f18c885-ade3-48c5-80b1-8f9216019c18 Microsoft Managed Control 1576 - Acquisitions Process | Design / Implementation Information For Security Controls Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 5c5e54f6-0127-44d0-8b61-f31dc8dd6190 Microsoft Managed Control 1067 - Wireless Access Restrictions Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.0.2 > 3.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 39f15e01-d964-41ee-88e3-eefbddc840cd Microsoft Managed Control 1846 - Individual Access Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Monitoring 1bc02227-0cb6-4e11-8f53-eb0b22eab7e8 Application Insights components should block log ingestion and querying from public networks Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Kubernetes 1d61c4d2-aef2-432b-87fc-7f96b019b7e1 Configure Kubernetes clusters with specified GitOps configuration using no secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 8cb6d7ea-a6ae-4bc0-ae70-9fa3715e46bf Microsoft Managed Control 1822 - Data Quality Microsoft implements this Data Quality and Integrity control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance d7d66d05-bf34-4555-b5f2-8b749def4098 Microsoft Managed Control 1837 - Data Retention And Disposal | System Configuration Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2ab0c8e3-b8ef-48e9-b6ac-a0c5e713a757 Microsoft Managed Control 1746 - Security Authorization Process Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 0f559588-5e53-4b14-a7c4-85d28ebc2234 Microsoft Managed Control 1430 - Media Labeling Microsoft implements this Media Protection control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4e54c7ef-7457-430b-9a3e-ef8881d4a8e0 Microsoft Managed Control 1579 - Acquisitions Process | Use Of Approved Piv Products Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch (1.1.0 > 1.1.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance baff1279-05e0-4463-9a70-8ba5de4c7aa4 Microsoft Managed Control 1726 - Information Output Handling And Retention Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance f7161f06-5260-4f0f-aeae-4bbfb8612a10 Microsoft Managed Control 1812 - Privacy Monitoring And Auditing Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Azure Stack Edge b4ac1030-89c5-4697-8e00-28b5ba6a8811 Azure Stack Edge devices should use double-encryption To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2d5600ed-575a-4723-9ff4-52d694be0a59 Microsoft Managed Control 1856 - Privacy Incident Response Microsoft implements this Security control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 898d4fe8-f743-4333-86b7-0c9245d93e7d Microsoft Managed Control 1411 - Remote Maintenance Microsoft implements this Maintenance control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 65c11daf-e754-406e-8d7b-f337dbd46a4f Microsoft Managed Control 1800 - Authority to Collect Microsoft implements this Authority and Purpose control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 32d58eb6-4c76-4881-87ce-522b0e787bd0 Microsoft Managed Control 1735 - Information Security Resources Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 7c6de11b-5f51-4f7c-8d83-d2467c8a816e Microsoft Managed Control 1143 - Certification, Authorization, Security Assessment Policy And Procedures Microsoft implements this Security Assessment and Authorization control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Storage 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor, suffix remains equal (3.0.1-preview > 3.1.0-preview) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 6b04f815-52d7-4ff6-94bf-a4f22c07d5ae Microsoft Managed Control 1809 - Privacy Impact And Risk Assessment Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2bfea08c-2567-4f29-aad7-0f238ce655ea Microsoft Managed Control 1758 - Threat Awareness Program Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance d2fc426a-4b67-464b-87c9-2134b8762ddf Microsoft Managed Control 1817 - Privacy-Enhanced System Design And Development Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 28e633fd-284e-4ea7-88b4-02ca157ed713 Microsoft Managed Control 1418 - Remote Maintenance | Comparable Security / Sanitization Microsoft implements this Maintenance control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08 Microsoft Managed Control 1301 - User Identification And Authentication | Network Access To Privileged Accounts Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Monitoring ea0dfaed-95fb-448c-934e-d6e713ce393d Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 8a29d47b-8604-4667-84ef-90d203fcb305 Microsoft Managed Control 1092 - Security Awareness | Insider Threat Microsoft implements this Awareness and Training control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 0a2119c1-f068-4bfe-9f03-db94317e8db9 Microsoft Managed Control 1855 - Inventory of Personally Identifiable Information Microsoft implements this Security control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 7522ed84-70d5-4181-afc0-21e50b1b6d0e Microsoft Managed Control 1417 - Remote Maintenance | Comparable Security / Sanitization Microsoft implements this Maintenance control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 45b7b644-5f91-498e-9d89-7402532d3645 Microsoft Managed Control 1578 - Acquisitions Process | Functions / Ports / Protocols / Services In Use Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 6bfe6405-805c-4c9b-a9d3-f209237bb95d Microsoft Managed Control 1802 - Governance And Privacy Program Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance b23bd715-5d1c-4e5c-9759-9cbdf79ded9d Microsoft Managed Control 1091 - Security Awareness Microsoft implements this Awareness and Training control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 51d53eb3-6c02-4f3f-a608-a058af96fa6a Microsoft Managed Control 1831 - Minimization of Personally Identifiable Information Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance ea979184-f7c4-42be-86d2-584b95c34540 Microsoft Managed Control 1869 - Information Sharing with Third Parties Microsoft implements this Use Limitation control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.1 > 6.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance b6a8eae8-9854-495a-ac82-d2cd3eac02a6 Microsoft Managed Control 1568 - Acquisitions Process Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4b0d8d1d-7800-4b62-b4bf-6eecde12b2af Microsoft Managed Control 1813 - Privacy Awareness And Training Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 1189aa19-fbcf-4b3e-b9ec-76508e2fa17b Microsoft Managed Control 1850 - Redress Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 27a69937-af92-4198-9b86-08d355c7e59a Microsoft Managed Control 1074 - Access Control for Portable And Mobile Systems Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 81817e1c-5347-48dd-965a-40159d008229 Microsoft Managed Control 1308 - User Identification And Authentication | Remote Access - Separate Device Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.0.3 > 4.1.0) 2022-04-01 20:29:14 BuiltIn
API for FHIR 051cba44-2429-45b9-9649-46cec11c7119 Azure API for FHIR should use a customer-managed key to encrypt data at rest Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default
Audit
Allowed
audit, Audit, disabled, Disabled
change
 Minor (1.0.1 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Key Vault bd78111f-4953-4367-9fd5-7e08808b54bf Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (2.0.1 > 2.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 74520428-3aa8-449c-938d-93f51940759e Microsoft Managed Control 1739 - Information System Inventory Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance cd6120c1-d069-416d-9753-fbe84bca4b01 Microsoft Managed Control 1808 - Privacy Impact And Risk Assessment Microsoft implements this Accountability, Audit, and Risk Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance aac17c36-2ac1-417f-ba74-6305f2ce6ad5 Microsoft Managed Control 1859 - Privacy Notice Microsoft implements this Transparency control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance f475ee0e-f560-4c9b-876b-04a77460a404 Microsoft Managed Control 1706 - Security Alerts & Advisories Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c Microsoft Managed Control 1073 - Access Control for Portable And Mobile Systems Microsoft implements this Access Control control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance d4de5955-e00f-414d-9c16-f569c6a99c10 Microsoft Managed Control 1756 - Contacts With Security Groups And Associations Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41 Microsoft Managed Control 1575 - Acquisitions Process | Functional Properties Of Security Controls Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 09828c65-e323-422b-9774-9d5c646124da Microsoft Managed Control 1302 - User Identification And Authentication | Network Access To Non-Privileged Accounts Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance d922484a-8cfc-4a6b-95a4-77d6a685407f Microsoft Managed Control 1577 - Acquisitions Process | Continuous Monitoring Plan Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4f8e271b-dfea-47e9-b81e-5519bae0b120 Microsoft Managed Control 1852 - Compliant Management Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance e17a106b-cf45-431e-89dc-da71e161c40c Microsoft Managed Control 1801 - Purpose Specification Microsoft implements this Authority and Purpose control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 8e903bb7-00e9-4255-a881-500742a2dbaa Microsoft Managed Control 1843 - Consent Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance d5f959a0-1808-4ebd-9a13-79237246f96f Microsoft Managed Control 1861 - Privacy Notice | Real-Time or Layered Notice Microsoft implements this Transparency control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance c055ec23-c9d1-4718-be96-433aa8108516 Microsoft Managed Control 1826 - Data Quality | Re-Validate PII Microsoft implements this Data Quality and Integrity control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Internet of Things c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02 Deploy - Configure Azure IoT Hubs to use private DNS zones Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Contributor
Network Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 18573dd5-899f-453d-b069-fa77b61fe257 Microsoft Managed Control 1870 - Information Sharing with Third Parties Microsoft implements this Use Limitation control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4c6df994-1810-44c9-bd35-3280397cf9a6 Microsoft Managed Control 1868 - Internal Use Microsoft implements this Use Limitation control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 804faf7d-b687-40f7-9f74-79e28adf4205 Microsoft Managed Control 1703 - Security Alerts & Advisories Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2fd50ffd-c983-4fab-862c-678b95bfaf5a Microsoft Managed Control 1832 - Minimization of Personally Identifiable Information Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 5bef3414-50bc-4fc0-b3db-372bb8fe0796 Microsoft Managed Control 1836 - Data Retention And Disposal Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Key Vault 1151cede-290b-4ba0-8b38-0ad145ac888f Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (2.0.1 > 2.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 3492d949-0dbb-4589-88b3-7b59601cc764 Microsoft Managed Control 1412 - Remote Maintenance Microsoft implements this Maintenance control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance fb845c34-808d-4c17-a0ce-85a530e9164b Microsoft Managed Control 1857 - Privacy Incident Response Microsoft implements this Security control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 3a09e314-dca7-4a19-b3b4-14abd6305043 Microsoft Managed Control 1753 - Testing, Training, And Monitoring Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes 1b708b0a-3380-40e9-8b79-821f9fa224cc Disable Command Invoke on Azure Kubernetes Service clusters Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (5.0.0 > 5.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay... Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance b2c2d6ed-bed8-419f-a8b7-59d736573acd Microsoft Managed Control 1863 - System of Records Notices And Privacy Act Statements Microsoft implements this Transparency control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4152937a-1a44-401a-a179-04b44ea15f4c Microsoft Managed Control 1733 - Senior Information Security Officer Microsoft implements this Program Management control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 0f935dab-83d6-47b8-85ef-68b8584161b9 Microsoft Managed Control 1574 - Acquisitions Process Microsoft implements this System and Services Acquisition control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Key Vault cee51871-e572-4576-855c-047c820360f0 Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (2.0.1 > 2.1.0) 2022-04-01 20:29:14 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (4.0.1 > 4.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance d77fd943-6ba6-4a21-ba07-22b03e347cc4 Microsoft Managed Control 1350 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Issued Profiles Microsoft implements this Identification and Authentication control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
Cosmos DB 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf Azure Cosmos DB throughput should be limited This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (1.0.0 > 1.1.0) 2022-04-01 20:29:14 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.0.2 > 3.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4c25cbd0-8776-412f-8466-5993e38ce602 Microsoft Managed Control 1838 - Minimization of PII Used in Testing, Training, And Research Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 [Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2022-04-01 20:29:14 BuiltIn
App Service c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8 Function apps should have authentication enabled Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-04-01 20:29:14 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (7.0.1 > 7.1.0) 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 6f29a2f0-ca59-4bdc-97a7-a8d593b60108 Microsoft Managed Control 1853 - Compliant Management | Response Times Microsoft implements this Individual Participation and Redress control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 4edd8330-da6b-4f1e-b996-e064d8b92cb7 Microsoft Managed Control 1833 - Minimization of Personally Identifiable Information | Locate/Remove/Redact/Anonymize PII Microsoft implements this Data Minimization and Retention control Fixed
audit
add
 new Policy 2022-04-01 20:29:14 BuiltIn
Regulatory Compliance 2d44b6fa-1134-4ea6-ad4e-9edb68f65429 Microsoft Managed Control 1704 - Security Alerts & Advisories Microsoft implements this System and Information Integrity control Fixed
audit
change
 Patch (1.0.0 > 1.0.1) 2022-04-01 20:29:14 BuiltIn
CDN 679da822-78a7-4eff-8fff-a899454a9970 Azure Front Door Standard and Premium should be running minimum TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your custom domains are accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they are weak and do not support modern cryptographic algorithms. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-03-25 18:52:24 BuiltIn
Monitoring 1c210e94-a481-4beb-95fa-1571b434fb04 Deploy - Configure Dependency agent to be enabled on Windows virtual machines Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (2.0.0 > 2.1.0) 2022-03-25 18:52:24 BuiltIn
Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (2.0.1 > 2.1.1) 2022-03-25 18:52:24 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Patch, suffix remains equal (3.0.1-preview > 3.0.2-preview) 2022-03-25 18:52:24 BuiltIn
Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-03-25 18:52:24 BuiltIn
Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-03-25 18:52:24 BuiltIn
Monitoring 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (2.0.0 > 2.1.0) 2022-03-25 18:52:24 BuiltIn
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
 Minor (2.0.1 > 2.1.1) 2022-03-25 18:52:24 BuiltIn
CDN dfc212af-17ea-423a-9dcb-91e2cb2caa6b Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link Azure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-03-25 18:52:24 BuiltIn
CDN daba2cce-8326-4af3-b049-81a362da024d Secure private connectivity between Azure Front Door Premium and Azure Storage Blob, or Azure App Service Private link ensures private connectivity between AFD Premium and Azure Storage Blob or Azure App Service over the Azure backbone network, without the Azure Storage Blob or the Azure App Service being publicly exposed to the internet. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-03-25 18:52:24 BuiltIn
Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-03-25 18:52:24 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.1 > 1.1.0) 2022-03-18 17:53:47 BuiltIn
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify 		count: 001
Contributor
change
 Major (3.0.0 > 4.0.0) 2022-03-18 17:53:47 BuiltIn
Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed
deployIfNotExists 		count: 001
Virtual Machine Contributor
change
 Major (1.3.0 > 2.0.0) 2022-03-18 17:53:47 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-03-18 17:53:47 BuiltIn
Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed
deployIfNotExists 		count: 001
Log Analytics Contributor
change
 Major (1.3.0 > 2.0.0) 2022-03-18 17:53:47 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Major, suffix remains equal (2.0.0-preview > 3.0.1-preview) 2022-03-18 17:53:47 BuiltIn
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify 		count: 001
Contributor
change
 Major (3.0.0 > 4.0.0) 2022-03-18 17:53:47 BuiltIn
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major (2.0.0 > 3.0.0) 2022-03-18 17:53:47 BuiltIn
Storage 06695360-db88-47f6-b976-7500d4297475 Configure Azure File Sync to use private DNS zones To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Network Contributor
Private DNS Zone Contributor
change
 Minor (1.0.0 > 1.1.0) 2022-03-18 17:53:47 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.0.1 > 1.1.0) 2022-03-18 17:53:47 BuiltIn
Kubernetes 450d2877-ebea-41e8-b00c-e286317d21bf Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-03-18 17:53:47 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (2.0.1 > 2.1.0) 2022-03-18 17:53:47 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.0.2 > 5.0.0) 2022-03-11 18:16:48 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-03-11 18:16:48 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview) 2022-03-11 18:16:48 BuiltIn
Monitoring ec621e21-8b48-403d-a549-fc9023d4747f Windows Arc-enabled machines should have Azure Monitor Agent installed Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-03-11 18:16:48 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-03-11 18:16:48 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.0.2 > 5.0.0) 2022-03-11 18:16:48 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2022-03-11 18:16:48 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Major (1.0.0 > 2.0.0) 2022-03-11 18:16:48 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Major (1.0.0 > 2.0.0) 2022-03-11 18:16:48 BuiltIn
SQL b79fa14e-238a-4c2d-b376-442ce508fc84 Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (3.0.0 > 4.0.0) 2022-03-11 18:16:48 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-03-11 18:16:48 BuiltIn
Backup 8015d6ed-3641-4534-8d0b-5c67b67ff7de [Preview]: Configure Recovery Services vaults to use private endpoints for backup Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2022-03-11 18:16:48 BuiltIn
Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default
Audit
Allowed
Audit, Disabled
change
 Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2022-03-11 18:16:48 BuiltIn
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-03-11 18:16:48 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-03-11 18:16:48 BuiltIn
SQL 32e6bbec-16b6-44c2-be37-c5b672d103cf Azure SQL Database should be running TLS version 1.2 or newer Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (1.0.1 > 2.0.0) 2022-03-11 18:16:48 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (2.0.0 > 2.0.1) 2022-03-11 18:16:48 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
change
 Major (1.0.0 > 2.0.0) 2022-03-11 18:16:48 BuiltIn
Security Center 82bf5b87-728b-4a74-ba4d-6123845cf542 Configure Microsoft Defender for Azure Cosmos DB to be enabled Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2022-03-11 18:16:48 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (3.0.0 > 3.0.1) 2022-03-11 18:16:48 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-03-11 18:16:48 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (5.0.2 > 6.0.0) 2022-03-11 18:16:48 BuiltIn
Synapse 32ba8d30-07c0-4136-ab18-9a11bf4a67b7 Configure Synapse workspaces to have auditing enabled to Log Analytics workspace To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Owner
add
 new Policy 2022-03-11 18:16:48 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-03-11 18:16:48 BuiltIn
Security Center adbe85b5-83e6-4350-ab58-bf3a4f736e5e Microsoft Defender for Azure Cosmos DB should be enabled Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-03-11 18:16:48 BuiltIn
SQL 25da7dfb-0666-4a15-a8f5-402127efd8bb Configure SQL servers to have auditing enabled to Log Analytics workspace To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
SQL Security Manager
add
 new Policy 2022-03-11 18:16:48 BuiltIn
Monitoring f17d891d-ff20-46f2-bad3-9e0a5403a4d3 Linux Arc-enabled machines should have Azure Monitor Agent installed Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-03-11 18:16:48 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (3.0.2 > 3.1.0) 2022-02-18 17:44:00 BuiltIn
Guest Configuration c633f6a2-7f8b-4d9e-9456-02f0f04f5505 Audit Windows machines that are not set to the specified time zone Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed
auditIfNotExists
change
 Major (2.0.0 > 3.0.0) 2022-02-18 17:44:00 BuiltIn
SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-02-18 17:44:00 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Major (3.0.0 > 4.0.0) 2022-02-18 17:44:00 BuiltIn
Storage f0e5abd0-2554-4736-b7c0-4ffef23475ef Queue Storage should use customer-managed key for encryption Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.1 > 2.0.0) 2022-02-18 17:44:00 BuiltIn
Security Center 37c043a6-6d64-656d-6465-b362dfeb354a [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-02-18 17:44:00 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Extension for SQL Server Deployment
change
 Minor (2.0.0 > 2.1.0) 2022-02-18 17:44:00 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Guest Configuration 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd Audit Windows machines on which the DSC configuration is not compliant Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed
auditIfNotExists
change
 Major (2.0.0 > 3.0.0) 2022-02-18 17:44:00 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify 		count: 001
Contributor
change
 Major (2.0.0 > 3.0.0) 2022-02-18 17:44:00 BuiltIn
Security Center 1ec9c2c2-6d64-656d-6465-3ec3309b8579 [Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines Deploys Microsoft Defender for Endpoint on applicable Windows VM images. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Guest Configuration 58c460e9-7573-4bb2-9676-339c2f2486bb Audit Windows machines on which Windows Serial Console is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed
auditIfNotExists
change
 Major (2.0.0 > 3.0.0) 2022-02-18 17:44:00 BuiltIn
Automanage f889cab7-da27-4c41-a3b0-de1f6f87c550 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Major (1.0.0 > 2.0.0) 2022-02-18 17:44:00 BuiltIn
Security Center cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349 [Deprecated]: Sensitive data in your SQL databases should be classified Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated) 2022-02-18 17:44:00 BuiltIn
Storage 7c322315-e26d-4174-a99e-f49d351b4688 Table Storage should use customer-managed key for encryption Secure your table storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify 		count: 001
Contributor
change
 Major (2.0.0 > 3.0.0) 2022-02-18 17:44:00 BuiltIn
Security Center 4eb909e7-6d64-656d-6465-2eeb297a1625 [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Stream Analytics fe8684d6-3c5b-45c0-a08b-fa92653c2e1c Stream Analytics job should connect to trusted inputs and outputs Ensure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allow-list. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization. Default
Audit
Allowed
Deny, Disabled, Audit
change
 Minor (1.0.0 > 1.1.0) 2022-02-18 17:44:00 BuiltIn
Guest Configuration e6ebf138-3d71-4935-a13b-9c7fdddd94df Audit Windows machines on which the specified services are not installed and 'Running' Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed
auditIfNotExists
change
 Major (2.0.0 > 3.0.0) 2022-02-18 17:44:00 BuiltIn
Security Center d30025d0-6d64-656d-6465-67688881b632 [Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-02-18 17:44:00 BuiltIn
SQL c9299215-ae47-4f50-9c54-8a392f68a052 Public network access should be disabled for MySQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-02-18 17:44:00 BuiltIn
Machine Learning 438c38d2-3772-465a-a9cc-7a6666a275ce Azure Machine Learning Workspaces should disable public network access Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.2.0) 2022-02-18 17:44:00 BuiltIn
Guest Configuration 934345e1-4dfb-4c70-90d7-41990dc9608b Audit Windows machines that do not contain the specified certificates in Trusted Root Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. Fixed
auditIfNotExists
change
 Major (2.0.0 > 3.0.0) 2022-02-18 17:44:00 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-02-18 17:44:00 BuiltIn
Guest Configuration c648fbbb-591c-4acd-b465-ce9b176ca173 Audit Windows machines that do not have the specified Windows PowerShell execution policy Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-02-18 17:44:00 BuiltIn
Container Registry cced2946-b08a-44fe-9fd9-e4ed8a779897 Configure container registries to disable anonymous authentication. Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Container Registry a9b426fe-8856-4945-8600-18c5dd1cca2a Configure container registries to disable repository scoped access token. Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Container Registry dc921057-6b28-4fbe-9b83-f7bec05db6c2 Container registries should have local admin account disabled. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-02-11 18:30:22 BuiltIn
Container Registry 79fdfe03-ffcb-4e55-b4d0-b925b8241759 Configure container registries to disable local admin account. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2022-02-11 18:30:22 BuiltIn
Storage ddcf4b94-9dfa-4a80-aca6-22bb654fde72 Azure NetApp Files SMB Volumes should use SMB3 encryption Disallow the creation of SMB Volumes without SMB3 encryption to ensure data integrity and data privacy. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (5.0.0 > 6.0.0) 2022-02-11 18:30:22 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (5.0.0 > 6.0.0) 2022-02-11 18:30:22 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch, suffix remains equal (5.0.0-preview > 5.0.1-preview) 2022-02-11 18:30:22 BuiltIn
Container Registry 9f2dea28-e834-476c-99c5-3507b4728395 Container registries should have anonymous authentication disabled. Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Storage 16f4af95-96b1-4220-805a-367ca59cd72e Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data integrity or data privacy Ensure that at least either Kerberos integrity (krb5i) or Kerberos privacy (krb5p) is selected to ensure data integrity and data privacy. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (5.0.0 > 6.0.0) 2022-02-11 18:30:22 BuiltIn
App Service 2d048aca-6479-4923-88f5-e2ac295d9af3 App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-02-11 18:30:22 BuiltIn
Security Center c9ae938d-3d6f-4466-b7c3-351761d9c890 [Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Security Center 3b1a8e0a-b2e1-48be-9365-28be2fbef550 [Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Security Center 30f52897-df47-4ca0-81a8-a3be3e8dd226 [Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Container Registry ff05e24e-195c-447e-b322-5e90c9f9f366 Container registries should have repository scoped access token disabled. Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Storage 7c6c7139-7d8e-45d0-9d94-72386a61308b Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data encryption Only allow the use of Kerberos privacy (5p) security mode to ensure data is encrypted. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Storage d558e1a6-296d-4fbb-81a5-ea25822639f6 Azure NetApp Files Volumes should not use NFSv3 protocol type Disallow the use of NFSv3 protocol type to prevent unsecure access to volumes. NFSv4.1 with Kerberos protocol should be used to access NFS volumes to ensure data integrity and encryption. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (5.0.0 > 6.0.0) 2022-02-11 18:30:22 BuiltIn
Security Center aba46665-c3a7-4319-ace1-a0282deebac2 [Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-02-11 18:30:22 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-02-04 18:25:37 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-02-04 18:25:37 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (2.0.1 > 3.0.0) 2022-02-04 18:25:37 BuiltIn
SQL a9934fd7-29f2-4e6d-ab3d-607ea38e9079 SQL Managed Instances should avoid using GRS backup redundancy Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Default
Deny
Allowed
Deny, Disabled
change
 Major (1.0.1 > 2.0.0) 2022-02-04 18:25:37 BuiltIn
SQL b79fa14e-238a-4c2d-b376-442ce508fc84 Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (2.0.0 > 3.0.0) 2022-02-04 18:25:37 BuiltIn
Automanage 6d02d2f7-e38b-4bdc-96f3-adc0a8726abc Hotpatch should be enabled for Windows Server Azure Edition VMs Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-02-04 18:25:37 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-02-04 18:25:37 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-02-04 18:25:37 BuiltIn
Security Center c15c5978-ab6e-4599-a1c3-90a7918f5371 [Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-02-04 18:25:37 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (1.0.0 > 2.0.0) 2022-02-04 18:25:37 BuiltIn
Security Center 9c0aa188-e5fe-4569-8f74-b6e155624d9a [Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2022-02-04 18:25:37 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-02-04 18:25:37 BuiltIn
Security Center 13ce0167-8ca6-4048-8e6b-f996402e3c1b Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Major, suffix remains equal (2.2.0-preview > 3.0.0-preview) 2022-02-04 18:25:37 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2022-02-04 18:25:37 BuiltIn
Guest Configuration bf16e0bb-31e1-4646-8202-60a235cc7e74 Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration a2d0e922-65d0-40c4-8f87-ea6da2d307a2 Audit Windows machines that do not restrict the minimum password length to specified number of characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration fee5cb2b-9d9b-410e-afe3-2902d90d0004 [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
auditIfNotExists
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 884b209a-963b-4520-8006-d20cb3c213e0 [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd Audit Windows machines on which the DSC configuration is not compliant Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 33936777-f2ac-45aa-82ec-07958ec9ade4 Windows machines should meet requirements for 'Security Options - Audit' Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration caf2d518-f029-4f6b-833b-d7081702f253 Windows machines should meet requirements for 'Security Options - Microsoft Network Server' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Monitoring 594c1276-f44f-482d-9910-71fac2ce5ae0 [Deprecated]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 94d9aca8-3757-46df-aa51-f218c5f11954 Windows machines should meet requirements for 'System Audit Policies - Account Management' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration c5b85cba-6e6f-4de4-95e1-f0233cd712ac Audit Windows machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration e0a7e899-2ce2-4253-8a13-d808fdeb75af Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 8316fa92-d69c-4810-8124-62414f560dcf Windows machines should meet requirements for 'System Audit Policies - System' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 Audit Windows machines that do not have the specified Windows PowerShell modules installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify 		count: 001
Contributor
change
 Major (1.1.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major (1.2.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5 Windows machines should meet requirements for 'System Audit Policies - Account Logon' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 1221c620-d201-468c-81e7-2817e6107e84 Windows machines should meet requirements for 'Security Options - Network Security' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 4ceb8dc2-559c-478b-a15b-733fbf1e3738 Audit Windows machines that do not have the maximum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 492a29ed-d143-4f03-b6a4-705ce081b463 Windows machines should meet requirements for 'Security Options - User Account Control' Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration ee984370-154a-4ee8-9726-19d900e56fc0 Windows machines should meet requirements for 'Security Options - Accounts' Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 6265018c-d7e2-432f-a75d-094d5f6f4465 Audit Windows machines on which the Log Analytics agent is not connected as expected Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration d6c69680-54f0-4349-af10-94dd05f4225e Windows machines should meet requirements for 'Security Options - Microsoft Network Client' Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration f79fef0d-0050-4c18-a303-5babb9c14ac7 Windows machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 934345e1-4dfb-4c70-90d7-41990dc9608b Audit Windows machines that do not contain the specified certificates in Trusted Root Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. Fixed
auditIfNotExists
change
 Major (1.0.1 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration c633f6a2-7f8b-4d9e-9456-02f0f04f5505 Audit Windows machines that are not set to the specified time zone Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.2.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 Audit Windows machines that have extra accounts in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.3.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration ec49586f-4939-402d-a29e-6ff502b20592 [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (3.2.0 > 4.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 1417908b-4bff-46ee-a2a6-4acc899320ab Audit Windows machines that contain certificates expiring within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 67e010c1-640d-438e-a3a5-feaccb533a98 Windows machines should meet requirements for 'Administrative Templates - Network' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (3.1.0 > 4.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 35d9882c-993d-44e6-87d2-db66ce21b636 Windows machines should meet requirements for 'Windows Firewall Properties' Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration ebb67efd-3c46-49b0-adfe-5599eb944998 Audit Windows machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.2.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.1 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration c40c9087-1981-4e73-9f53-39743eda9d05 [Deprecated]: Show audit results from Linux VMs that have accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
auditIfNotExists
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 4078e558-bda6-41fb-9b3c-361e8875200d [Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 84662df4-0e37-44a6-9ce1-c9d2150db18c Audit Windows machines that are not joined to the specified domain Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 35781875-8026-4628-b19b-f6efb4d88a1d Windows machines should meet requirements for 'System Audit Policies - Object Access' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.2.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 630ac30f-a234-4533-ac2d-e0df77acda51 Audit Windows machines network connectivity Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify 		count: 001
Contributor
change
 Major (1.1.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f Audit Windows machines that have the specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration da0f98fe-a24b-4ad5-af69-bd0400233661 Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration bed48b13-6647-468e-aa2f-1af1d3f4dd40 Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.1.1 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration beb6ccee-b6b8-4e91-9801-a5fa4260a104 Audit Windows machines that have not restarted within the specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
App Service 91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 87845465-c458-45f3-af66-dcd62176f397 Windows machines should meet requirements for 'System Audit Policies - Privilege Use' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration e6ebf138-3d71-4935-a13b-9c7fdddd94df Audit Windows machines on which the specified services are not installed and 'Running' Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration b4a4d1eb-0263-441b-84cb-a44073d8372d Windows machines should meet requirements for 'Security Options - Shutdown' Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 58383b73-94a9-4414-b382-4146eb02611b Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.1.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 968410dc-5ca0-4518-8a5b-7b55f0530ea9 Windows machines should meet requirements for 'Administrative Templates - System' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 3aa2661b-02d7-4ba6-99bc-dc36b10489fd Windows machines should meet requirements for 'Administrative Templates - Control Panel' Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 4221adbc-5c0f-474f-88b7-037a99e6114c Audit Windows VMs with a pending reboot Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 8794ff4f-1a35-4e18-938f-0b22055067cd Windows machines should meet requirements for 'Security Options - Devices' Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration f19aa1c1-6b91-4c27-ae6a-970279f03db9 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.2 > 4.0.3) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd Windows machines should meet requirements for 'Security Options - Network Access' Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 19be9779-c776-4dfa-8a15-a2fd5dc843d6 Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration c648fbbb-591c-4acd-b465-ce9b176ca173 Audit Windows machines that do not have the specified Windows PowerShell execution policy Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.1.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (3.0.0 > 4.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 4d1c04de-2172-403f-901b-90608c35c721 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 [Deprecated]: Show audit results from Linux VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
auditIfNotExists
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Guest Configuration f71be03e-e25b-4d0f-b8bc-9b3e309b66c0 Windows machines should meet requirements for 'Security Options - Recovery console' Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 8537fe96-8cbe-43de-b0ef-131bc72bc22a Windows machines should meet requirements for 'Windows Components' Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration f2143251-70de-4e81-87a8-36cee5a2f29d Windows machines should meet requirements for 'Security Settings - Account Policies' Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 2f262ace-812a-4fd0-b731-b38ba9e9708d Windows machines should meet requirements for 'Security Options - System objects' Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 3470477a-b35a-49db-aca5-1073d04524fe [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Guest Configuration e068b215-0026-4354-b347-8fb2766f73a2 Windows machines should meet requirements for 'User Rights Assignment' Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 Audit Windows machines missing any of specified members in the Administrators group Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 58c460e9-7573-4bb2-9676-339c2f2486bb Audit Windows machines on which Windows Serial Console is not enabled Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed
auditIfNotExists
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 2a7a701e-dff3-4da9-9ec5-42cb98594c0b Windows machines should meet requirements for 'System Audit Policies - Policy Change' Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 237b38db-ca4d-4259-9e47-7882441ca2c0 Audit Windows machines that do not have the minimum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration b18175dd-c599-4c64-83ba-bb018a06d35b [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
auditIfNotExists
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 12017595-5a75-4bb1-9d97-4c2c939ea3c3 Windows machines should meet requirements for 'Security Options - System settings' Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration d472d2c9-d6a3-4500-9f5f-b15f123005aa Windows machines should meet requirements for 'Security Options - Interactive Logon' Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.2.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 5b054a0d-39e2-4d53-bea3-9734cad2c69b Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-28 17:51:01 BuiltIn
Guest Configuration 2d67222d-05fd-4526-a171-2ee132ad9e83 [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
auditIfNotExists
change
 Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated) 2022-01-28 17:51:01 BuiltIn
Automanage f889cab7-da27-4c41-a3b0-de1f6f87c550 Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-01-21 21:53:22 BuiltIn
General 10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9 [Deprecated]: Custom subscription owner roles should not exist This policy is deprecated. Default
Audit
Allowed
Audit, Disabled
change
 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2022-01-21 21:53:22 BuiltIn
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-21 21:53:22 BuiltIn
Automanage 270610db-8c04-438a-a739-e8e6745b22d3 [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Version remains equal, new suffix: version (4.1.0 > 4.1.0-version-deprecated) 2022-01-21 21:53:22 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.2 > 4.0.3) 2022-01-21 21:53:22 BuiltIn
App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.1.0 > 2.2.0) 2022-01-21 21:53:22 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (3.1.0-preview > 4.0.0-preview) 2022-01-14 17:44:09 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-01-14 17:44:09 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2022-01-14 17:44:09 BuiltIn
Azure Edge Hardware Center 08a6b96f-576e-47a2-8511-119a212d344d Azure Edge Hardware Center devices should have double encryption support enabled Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-14 17:44:09 BuiltIn
Monitoring 594c1276-f44f-482d-9910-71fac2ce5ae0 [Deprecated]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-01-07 18:14:35 BuiltIn
Security Center 5f0f936f-2f01-4bf5-b6be-d423792fa562 [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-01-07 18:14:35 BuiltIn
Bot Service 52152f42-0dda-40d9-976e-abb1acdd611e Bot Service should have isolated mode enabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (1.0.0 > 2.0.0) 2022-01-07 18:14:35 BuiltIn
Internet of Things 27d4c5ec-8820-443f-91fe-1215e96f64b2 Azure Device Update for IoT Hub accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Device Update for IoT Hub accounts, data leakage risks are reduced. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2022-01-07 18:14:35 BuiltIn
Monitoring 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 Configure Log Analytics workspace and automation account to centralize logs and monitoring Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
change
 Major (1.0.0 > 2.0.0) 2022-01-07 18:14:35 BuiltIn
Backup 615b01c4-d565-4f6f-8c6e-d130268e3a1a [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Backup Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-01-07 18:14:35 BuiltIn
Kubernetes 440b515e-a580-421e-abeb-b159a61ddcbc [Deprecated]: Kubernetes cluster containers should only listen on allowed ports Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, new suffix: deprecated (6.1.2 > 6.1.3-deprecated) 2022-01-07 18:14:35 BuiltIn
Monitoring bacd7fca-1938-443d-aad6-a786107b1bfb [Deprecated]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2022-01-07 18:14:35 BuiltIn
Azure Purview 9259053b-ddb8-40ab-842a-0aef19d0ade4 Azure Purview accounts should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2022-01-07 18:14:35 BuiltIn
App Service b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0 [Deprecated]: Diagnostic logs in App Services should be enabled Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2022-01-07 18:14:35 BuiltIn
Security Center ae89ebca-1c92-4898-ac2c-9f63decb045c Guest Configuration extension should be installed on your machines To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.1 > 1.0.2) 2022-01-07 18:14:35 BuiltIn
Monitoring 04c4380f-3fae-46e8-96c9-30193528f602 [Preview]: Network traffic data collection agent should be installed on Linux virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2022-01-07 18:14:35 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2022-01-07 18:14:35 BuiltIn
SQL 0a370ff3-6cab-4e85-8995-295fd854c5b8 SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (2.0.0 > 2.0.1) 2022-01-07 18:14:35 BuiltIn
Storage bc1b984e-ddae-40cc-801a-050a030e4fbe Storage accounts should have shared access signature (SAS) policies configured Ensure storage accounts have shared access signature (SAS) expiration policy enabled. Users use a SAS to delegate access to resources in Azure Storage account. And SAS expiration policy recommend upper expiration limit when a user creates a SAS token. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2022-01-07 18:14:35 BuiltIn
Monitoring 2f2ee1de-44aa-4762-b6bd-0893fc3f306d [Preview]: Network traffic data collection agent should be installed on Windows virtual machines Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2022-01-07 18:14:35 BuiltIn
Backup 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Backup Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2022-01-07 18:14:35 BuiltIn
Monitoring 7f89b1eb-583c-429a-8828-af049802c1d9 Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. Fixed
AuditIfNotExists
change
 Minor (1.0.0 > 1.1.0) 2022-01-07 18:14:35 BuiltIn
Kubernetes a6f560f4-f582-4b67-b123-a37dcd1bf7ea Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2021-12-10 17:29:56 BuiltIn
Network 0db34a60-64f4-4bf6-bd44-f95c16cf34b9 Deploy a flow log resource with target network security group Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2021-12-10 17:29:56 BuiltIn
Network e920df7f-9a64-4066-9b58-52684c02a091 Configure network security groups to enable traffic analytics Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2021-12-10 17:29:56 BuiltIn
Network 5e1cd26a-5090-4fdb-9d6a-84a90335e22d Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2021-12-10 17:29:56 BuiltIn
Kubernetes c050047b-b21b-4822-8a2d-c1e37c3c0c6a Configure Kubernetes clusters with specified GitOps configuration using SSH secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2021-12-10 17:29:56 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.0 > 7.0.1) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 2d67222d-05fd-4526-a171-2ee132ad9e83 [Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
auditIfNotExists
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2021-12-06 22:17:57 BuiltIn
Guest Configuration c40c9087-1981-4e73-9f53-39743eda9d05 [Deprecated]: Show audit results from Linux VMs that have accounts without passwords This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
auditIfNotExists
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Monitoring a499fed8-bcc8-4195-b154-641f14743757 Azure Monitor Private Link Scope should block access to non private link resources Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-12-06 22:17:57 BuiltIn
Security Center d3d1e68e-49d4-4b56-acff-93cef644b432 [Deprecated]: Configure Azure Defender for container registries to be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (1.1.0 > 1.2.0) 2021-12-06 22:17:57 BuiltIn
SQL ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, old suffix: preview (1.0.0-preview > 2.0.0) 2021-12-06 22:17:57 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.1 > 3.0.2) 2021-12-06 22:17:57 BuiltIn
Security Center b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d Configure Azure Defender for App Service to be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2021-12-06 22:17:57 BuiltIn
Backup 958dbd4e-0e20-4385-a082-d3f20c2a6ad8 [Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Backup Contributor
add
 new Policy 2021-12-06 22:17:57 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.3 > 7.0.4) 2021-12-06 22:17:57 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
add
 new Policy 2021-12-06 22:17:57 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Major (2.0.0 > 3.0.0) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 1e7fed80-8321-4605-b42c-65fc300f23a3 [Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2021-12-06 22:17:57 BuiltIn
Kubernetes 6b2122c1-8120-4ff5-801b-17625a355590 Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-12-06 22:17:57 BuiltIn
Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.1.0 > 1.2.0) 2021-12-06 22:17:57 BuiltIn
Guest Configuration b18175dd-c599-4c64-83ba-bb018a06d35b [Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644 This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
auditIfNotExists
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (2.0.1 > 2.0.2) 2021-12-06 22:17:57 BuiltIn
Security Center c25d9a16-bc35-4e15-a7e5-9db606bf9ed4 [Deprecated]: Azure Defender for container registries should be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated) 2021-12-06 22:17:57 BuiltIn
Kubernetes b2fd3e59-6390-4f2b-8247-ea676bd03e2d [Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, suffix remains equal (4.0.1-deprecated > 4.0.2-deprecated) 2021-12-06 22:17:57 BuiltIn
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2021-12-06 22:17:57 BuiltIn
Security Center c9ddb292-b203-4738-aead-18e2716e858f Configure Microsoft Defender for Containers to be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-12-06 22:17:57 BuiltIn
Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.1.0 > 1.2.0) 2021-12-06 22:17:57 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (2.1.1 > 2.1.2) 2021-12-06 22:17:57 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.1 > 4.0.2) 2021-12-06 22:17:57 BuiltIn
Security Center 523b5cd1-3e23-492f-a539-13118b6d1e3a [Deprecated]: Azure Defender for Kubernetes should be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated) 2021-12-06 22:17:57 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.0 > 7.0.1) 2021-12-06 22:17:57 BuiltIn
Kubernetes 0adc5395-9169-4b9b-8687-af838d69410a Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Kubernetes Extension Contributor
add
 new Policy 2021-12-06 22:17:57 BuiltIn
Security Center b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2021-12-06 22:17:57 BuiltIn
SQL 048248b0-55cd-46da-b1ff-39efd52db260 [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 instead Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.2 > 1.0.2-deprecated) 2021-12-06 22:17:57 BuiltIn
Guest Configuration ec49586f-4939-402d-a29e-6ff502b20592 [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.1 > 2.1.0) 2021-12-06 22:17:57 BuiltIn
Guest Configuration fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50 [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
165a4137-c3ed-4fd0-a17f-1c8a80266580 Fixed
add
 new Policy 2021-12-06 22:17:57 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.1 > 4.0.2) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (1.1.1 > 1.2.0) 2021-12-06 22:17:57 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (4.0.0 > 5.0.0) 2021-12-06 22:17:57 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.1 > 4.0.2) 2021-12-06 22:17:57 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.1 > 3.0.2) 2021-12-06 22:17:57 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.1.1 > 6.1.2) 2021-12-06 22:17:57 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.1 > 3.0.2) 2021-12-06 22:17:57 BuiltIn
Backup 615b01c4-d565-4f6f-8c6e-d130268e3a1a [Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Backup Contributor
add
 new Policy 2021-12-06 22:17:57 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.1.0 > 3.2.0) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.1.0 > 2.2.0) 2021-12-06 22:17:57 BuiltIn
Guest Configuration d3b823c9-e0fc-4453-9fb2-8213b7338523 Audit Linux machines that don't have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2021-12-06 22:17:57 BuiltIn
App Platform af35e2a4-ef96-44e7-a9ae-853dd97032c4 Azure Spring Cloud should use network injection Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Minor (1.0.0 > 1.1.0) 2021-12-06 22:17:57 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.1 > 4.0.2) 2021-12-06 22:17:57 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.1 > 4.0.2) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 4d1c04de-2172-403f-901b-90608c35c721 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Monitoring c9c29499-c1d1-4195-99bd-2ec9e3a9dc89 Deploy Diagnostic Settings for Network Security Groups This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. Fixed
deployIfNotExists 		count: 002
Monitoring Contributor
Storage Account Contributor
change
 Major (1.0.0 > 2.0.0) 2021-12-06 22:17:57 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.1 > 4.0.2) 2021-12-06 22:17:57 BuiltIn
Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.1.0 > 1.2.0) 2021-12-06 22:17:57 BuiltIn
Security Center 1c988dd6-ade4-430f-a608-2a3e5b0a6d38 Microsoft Defender for Containers should be enabled Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-12-06 22:17:57 BuiltIn
Guest Configuration c648fbbb-591c-4acd-b465-ce9b176ca173 Audit Windows machines that do not have the specified Windows PowerShell execution policy Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2021-12-06 22:17:57 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.1 > 5.0.2) 2021-12-06 22:17:57 BuiltIn
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.0.0 > 6.0.1) 2021-12-06 22:17:57 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (4.0.0 > 5.0.0) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 5b842acb-0fe7-41b0-9f40-880ec4ad84d8 [Deprecated]: Show audit results from Linux VMs that have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
auditIfNotExists
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Kubernetes 440b515e-a580-421e-abeb-b159a61ddcbc [Deprecated]: Kubernetes cluster containers should only listen on allowed ports Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.1.1 > 6.1.2) 2021-12-06 22:17:57 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.2 > 4.0.3) 2021-12-06 22:17:57 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (4.0.0 > 5.0.0) 2021-12-06 22:17:57 BuiltIn
Network 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66 Web Application Firewall (WAF) should be enabled for Application Gateway Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.1 > 2.0.0) 2021-12-06 22:17:57 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview) 2021-12-06 22:17:57 BuiltIn
Monitoring bec5db8e-c4e3-40f9-a545-e0bd00065c82 Configure Azure Monitor Private Link Scope to block access to non private link resources Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-12-06 22:17:57 BuiltIn
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2021-12-06 22:17:57 BuiltIn
Security Center 1f725891-01c0-420a-9059-4fa46cb770b7 Configure Microsoft Defender for Key Vault plan Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2021-12-06 22:17:57 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2021-12-06 22:17:57 BuiltIn
Security Center 133047bf-1369-41e3-a3be-74a11ed1395a [Deprecated]: Configure Azure Defender for Kubernetes to be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Security Center 2370a3c1-4a25-4283-a91a-c9c1a145fb2f [Deprecated]: Configure Azure Defender for DNS to be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Patch (1.0.0 > 1.0.1) 2021-12-06 22:17:57 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-12-06 22:17:57 BuiltIn
SQL 0d134df8-db83-46fb-ad72-fe0c9428c8dd [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8 instead. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (2.0.1 > 2.0.1-deprecated) 2021-12-06 22:17:57 BuiltIn
SQL 0a370ff3-6cab-4e85-8995-295fd854c5b8 SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, old suffix: preview (1.0.0-preview > 2.0.0) 2021-12-06 22:17:57 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (4.0.0 > 5.0.0) 2021-12-06 22:17:57 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.1 > 3.0.2) 2021-12-06 22:17:57 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.2.0 > 1.3.0) 2021-12-06 22:17:57 BuiltIn
Guest Configuration f19aa1c1-6b91-4c27-ae6a-970279f03db9 [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Guest Configuration fee5cb2b-9d9b-410e-afe3-2902d90d0004 [Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
auditIfNotExists
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 884b209a-963b-4520-8006-d20cb3c213e0 [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 3470477a-b35a-49db-aca5-1073d04524fe [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated) 2021-12-06 22:17:57 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.1 > 3.0.2) 2021-12-06 22:17:57 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.1 > 3.0.2) 2021-12-06 22:17:57 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.1 > 4.0.2) 2021-12-06 22:17:57 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.1 > 4.0.2) 2021-12-06 22:17:57 BuiltIn
Compute 702dd420-7fcc-42c5-afe8-4026edd20fe0 OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2021-12-06 22:17:57 BuiltIn
Guest Configuration 497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
modify 		count: 001
Contributor
change
 Minor (1.0.0 > 1.1.0) 2021-12-06 22:17:57 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, new suffix: preview (1.0.0 > 1.0.1-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d2c Configure ChangeTracking Extension for Windows virtual machine scale sets Configure Windows virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Security Center a21f8c92-9e22-4f09-b759-50500d1d2dda [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (2.0.0-preview > 4.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 496e010e-fa91-4c00-be4b-92b481f67b58 [Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension Configure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Reader
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.2 > 7.0.3) 2021-11-12 16:23:07 BuiltIn
Backup 013e242c-8828-4970-87b3-ab247555486d Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2021-11-12 16:23:07 BuiltIn
Security Center 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 [Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (5.0.0-preview > 6.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 95406fc3-1f69-47b0-8105-4c03b276ec5c [Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 5.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center d62cfe2b-3ab0-4d41-980d-76803b58ca65 [Deprecated]: Log Analytics agent health issues should be resolved on your machines Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2021-11-12 16:23:07 BuiltIn
Network 055aa869-bc98-4af8-bafc-23f1ab6ffe2c Azure Web Application Firewall should be enabled for Azure Front Door entry-points Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.1 > 1.0.2) 2021-11-12 16:23:07 BuiltIn
Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default
Audit
Allowed
Audit, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2021-11-12 16:23:07 BuiltIn
Security Center a7f5e735-d212-4c32-9229-d12bffbc7e00 [Preview]: ChangeTracking extension should be installed on your Windows Arc machine Install ChangeTracking Extension on Windows Arc machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 97566dd7-78ae-4997-8b36-1c7bfe0d8121 [Preview]: Secure Boot should be enabled on supported Windows virtual machines Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. Default
Audit
Allowed
Audit, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 3.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 7cb1b219-61c6-47e0-b80c-4472cadeeb5f [Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 3.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 1cb4d9c2-f88f-4069-bee0-dba239a57b09 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 3.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (2.0.0-preview > 5.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Data Factory f78ccdb4-7bf4-4106-8647-270491d2978a Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Stream Analytics fe8684d6-3c5b-45c0-a08b-fa92653c2e1c Stream Analytics job should connect to trusted inputs and outputs Ensure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allow-list. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization. Default
Audit
Allowed
Deny, Disabled, Audit
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Security Center ec88097d-843f-4a92-8471-78016d337ba4 Configure ChangeTracking Extension for Linux virtual machines Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 10caed8a-652c-4d1d-84e4-2805b7c07278 Configure ChangeTracking Extension for Linux Arc machines Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Media Services 9285c3de-d5fd-4225-86d4-027894b0c442 [Deprecated]: Azure Media Services should use customer-managed keys to encrypt data at rest This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Security Center f08f556c-12ff-464d-a7de-40cb5b6cccec Configure ChangeTracking Extension for Windows virtual machines Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Security Center e71c1e29-9c76-4532-8c4b-cb0573b0014c ChangeTracking extension should be installed on your Linux virtual machine scale sets Install ChangeTracking Extension on Linux virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Security Center 8893442c-e7cb-4637-bab8-299a5d4ed96a [Preview]: ChangeTracking extension should be installed on your Linux virtual machine Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (3.0.0 > 4.0.0) 2021-11-12 16:23:07 BuiltIn
Security Center e494853f-93c3-4e44-9210-d12f61a64b34 [Preview]: Configure supported virtual machines to automatically enable vTPM Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center fc47609f-4d9b-4aed-806b-446816cc63a3 [Preview]: ChangeTracking extension should be installed on your Linux Arc machine Install ChangeTracking Extension on Linux Arc machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Security Center 6074e9a3-c711-4856-976d-24d51f9e065b [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (3.0.0-preview > 6.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 009259b0-12e8-42c9-94e7-7af86aa58d13 [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Reader
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (3.0.0 > 4.0.0) 2021-11-12 16:23:07 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4cd5 Configure ChangeTracking Extension for Windows Arc machines Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Security Center 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 4.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 221aac80-54d8-484b-83d7-24f4feac2ce0 [Preview]: ChangeTracking extension should be installed on your Windows virtual machine Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (3.0.0 > 4.0.0) 2021-11-12 16:23:07 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4d00 ChangeTracking extension should be installed on your Windows virtual machine scale sets Install ChangeTracking Extension on Windows virtual machine scale sets to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Security Center 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (3.0.0-preview > 5.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Security Center 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 [Preview]: vTPM should be enabled on supported virtual machines Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. Default
Audit
Allowed
Audit, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (3.0.0 > 4.0.0) 2021-11-12 16:23:07 BuiltIn
Security Center 1288c8d7-4b05-4e3a-bc88-9053caefc021 Configure ChangeTracking Extension for Linux virtual machine scale sets Configure Linux virtual machine scale sets to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-11-12 16:23:07 BuiltIn
Security Center f655e522-adff-494d-95c2-52d4f6d56a42 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-11-12 16:23:07 BuiltIn
Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Version remains equal, new suffix: preview (2.0.1 > 2.0.1-preview) 2021-10-25 16:02:14 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.1 > 7.0.2) 2021-10-25 16:02:14 BuiltIn
Security Center 6074e9a3-c711-4856-976d-24d51f9e065b [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-10-22 15:42:38 BuiltIn
Security Center 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-10-22 15:42:38 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-10-22 15:42:38 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-10-22 15:42:38 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-10-22 15:42:38 BuiltIn
Monitoring ec621e21-8b48-403d-a549-fc9023d4747f Windows Arc-enabled machines should have Azure Monitor Agent installed Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-10-22 15:42:38 BuiltIn
Security Center 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-10-22 15:42:38 BuiltIn
Security Center 009259b0-12e8-42c9-94e7-7af86aa58d13 [Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Reader
Virtual Machine Contributor
add
 new Policy 2021-10-22 15:42:38 BuiltIn
Security Center 496e010e-fa91-4c00-be4b-92b481f67b58 [Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension Configure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Reader
Virtual Machine Contributor
add
 new Policy 2021-10-22 15:42:38 BuiltIn
Security Center c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-10-22 15:42:38 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
add
 new Policy 2021-10-22 15:42:38 BuiltIn
Security Center 0961003e-5a0a-4549-abde-af6a37f2724d [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.2 > 2.0.3) 2021-10-22 15:42:38 BuiltIn
SQL b79fa14e-238a-4c2d-b376-442ce508fc84 Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.1 > 2.0.0) 2021-10-22 15:42:38 BuiltIn
Monitoring 17b3de92-f710-4cf4-aa55-0e7859f1ed7b [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Contributor
Managed Identity Operator
Virtual Machine Contributor
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2021-10-19 19:10:32 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2021-10-19 19:10:32 BuiltIn
Monitoring f17d891d-ff20-46f2-bad3-9e0a5403a4d3 Linux Arc-enabled machines should have Azure Monitor Agent installed Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-10-19 19:10:32 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-10-19 19:10:32 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Patch (2.0.0 > 2.0.1) 2021-10-19 19:10:32 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Minor (1.0.0 > 1.1.0) 2021-10-19 19:10:32 BuiltIn
Guest Configuration 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, old suffix: preview (1.0.1-preview > 1.0.1) 2021-10-19 19:10:32 BuiltIn
Compute 2c89a2e5-7285-40fe-afe0-ae8654b92fb2 [Deprecated]: Unattached disks should be encrypted This policy audits any unattached disk without encryption enabled. Default
Audit
Allowed
Audit, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2021-10-19 19:10:32 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-10-19 19:10:32 BuiltIn
Search 4eb216f2-9dba-4979-86e6-5d7e63ce3b75 Configure Azure AI Search services to disable local authentication Disable local authentication methods so that your Azure AI Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Default
Modify
Allowed
Modify, Disabled 		count: 001
Search Service Contributor
add
 new Policy 2021-10-19 19:10:32 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-10-19 19:10:32 BuiltIn
Search 6300012e-e9a4-4649-b41f-a85f5c43be91 Azure AI Search services should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure AI Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure AI Search portal functionality since some features of the Portal use the GA API which does not support the parameter. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-10-19 19:10:32 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, old suffix: preview (1.2.0-preview > 1.2.0) 2021-10-19 19:10:32 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Connected Machine Resource Administrator
add
 new Policy 2021-10-19 19:10:32 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.0 > 2.0.0) 2021-10-19 19:10:32 BuiltIn
Azure Arc 898f2439-3333-4713-af25-f1d78bc50556 Azure Arc Private Link Scopes should disable public network access Disabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Security Center 44433aa3-7ec2-4002-93ea-65c65ff0310a Configure Azure Defender for open-source relational databases to be enabled Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Major (1.2.0 > 2.0.0) 2021-10-08 15:47:40 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Azure Connected Machine Resource Administrator
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify 		count: 001
Contributor
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Azure Arc 7eab1da3-2bf0-4ff0-8303-1a4277c380e8 Azure Arc Private Link Scopes should be configured with a private endpoint Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Azure Arc efa3f296-ff2b-4f38-bc0d-5ef12c965b68 Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-10-08 15:47:40 BuiltIn
HDInsight c8cc2f85-e019-4065-9fa3-5e6a2b2dde56 Azure HDInsight should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-10-08 15:47:40 BuiltIn
HDInsight 2676090a-4baf-46ac-9085-4ac02cc50e3e Configure Azure HDInsight clusters with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Monitoring bef3f64c-5290-43b7-85b0-9b254eef4c47 Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.0 > 2.0.0) 2021-10-08 15:47:40 BuiltIn
Azure Arc d6eeba80-df61-4de5-8772-bc1b7852ba6b Configure Azure Arc Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 003
Azure Connected Machine Resource Administrator
Kubernetes Cluster - Azure Arc Onboarding
Network Contributor
add
 new Policy 2021-10-08 15:47:40 BuiltIn
HDInsight 43d6e3bd-fc6a-4b44-8b4d-2151d8736a11 Configure Azure HDInsight clusters to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Machine Learning 7804b5c7-01dc-4723-969b-ae300cc07ff1 Azure Machine Learning Computes should be in a virtual network Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Azure Arc a3461c8c-6c9d-4e42-a644-40ba8a1abf49 Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. Default
Modify
Allowed
Modify, Disabled 		count: 001
Azure Connected Machine Resource Administrator
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Azure Arc de0bc8ea-76e2-4fe2-a288-a07556d0e9c4 Configure Azure Arc Private Link Scopes to disable public network access Disable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink. Default
Modify
Allowed
Modify, Disabled 		count: 001
Azure Connected Machine Resource Administrator
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Azure Arc 55c4db33-97b0-437b-8469-c4f4498f5df9 Configure Azure Arc Private Link Scopes to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-10-08 15:47:40 BuiltIn
Key Vault ed7c8c13-51e7-49d1-8a43-8490431a0da2 Deploy Diagnostic Settings for Key Vault to Event Hub Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Major (2.0.0 > 3.0.0) 2021-10-08 15:47:40 BuiltIn
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Patch (1.1.0 > 1.1.1) 2021-10-08 15:47:40 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2021-10-04 15:27:15 BuiltIn
Event Hub 5d4e3c65-4873-47be-94f3-6f8b953a3598 Azure Event Hub namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-10-04 15:27:15 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Version remains equal, old suffix: preview (2.0.1-preview > 2.0.1) 2021-10-04 15:27:15 BuiltIn
Event Hub 57f35901-8389-40bb-ac49-3ba4f86d889d Configure Azure Event Hub namespaces to disable local authentication Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh. Default
Modify
Allowed
Modify, Disabled 		count: 001
Azure Event Hubs Data Owner
add
 new Policy 2021-10-04 15:27:15 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Version remains equal, old suffix: preview (3.0.1-preview > 3.0.1) 2021-10-04 15:27:15 BuiltIn
Guest Configuration ea53dbee-c6c9-4f0e-9f9e-de0039b78023 Audit Linux machines that allow remote connections from accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2021-10-04 15:27:15 BuiltIn
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2021-10-04 15:27:15 BuiltIn
Machine Learning 438c38d2-3772-465a-a9cc-7a6666a275ce Azure Machine Learning Workspaces should disable public network access Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-10-04 15:27:15 BuiltIn
Machine Learning a10ee784-7409-4941-b091-663697637c0f Configure Azure Machine Learning Workspaces to disable public network access Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-10-04 15:27:15 BuiltIn
Service Bus cfb11c26-f069-4c14-8e36-56c394dae5af Azure Service Bus namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-10-04 15:27:15 BuiltIn
Guest Configuration 630c64f9-8b6b-4c64-b511-6544ceff6fd6 Authentication to Linux machines should require SSH keys Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.1 > 2.1.0) 2021-10-04 15:27:15 BuiltIn
Guest Configuration f6ec09a3-78bf-4f8f-99dc-6c77182d0f99 Audit Linux machines that have accounts without passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2021-10-04 15:27:15 BuiltIn
Guest Configuration e6955644-301c-44b5-a4c4-528577de6861 Audit Linux machines that do not have the passwd file permissions set to 0644 Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2021-10-04 15:27:15 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2021-10-04 15:27:15 BuiltIn
Guest Configuration 385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Minor (1.0.1 > 1.1.0) 2021-10-04 15:27:15 BuiltIn
Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.0 > 1.1.0) 2021-10-04 15:27:15 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Version remains equal, old suffix: preview (2.1.1-preview > 2.1.1) 2021-10-04 15:27:15 BuiltIn
Service Bus 910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e Configure Azure Service Bus namespaces to disable local authentication Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb. Default
Modify
Allowed
Modify, Disabled 		count: 001
Azure Service Bus Data Owner
add
 new Policy 2021-10-04 15:27:15 BuiltIn
Guest Configuration 0447bc18-e2f7-4c0d-aa20-bff034275be1 Audit Linux machines that have the specified applications installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (3.0.0 > 3.1.0) 2021-10-04 15:27:15 BuiltIn
Security Center af99038c-02fd-4a2f-ac24-386b62bf32de [Preview]: Machines should have ports closed that might expose attack vectors Azure's Terms Of Use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server, or the network. The exposed ports identified by this recommendation need to be closed for your continued security. For each identified port, the recommendation also provides an explanation of the potential threat. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-10-04 15:27:15 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Version remains equal, old suffix: preview (3.0.1-preview > 3.0.1) 2021-10-04 15:27:15 BuiltIn
Monitoring d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2021-09-27 15:52:17 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Extension for SQL Server Deployment
change
 Major (1.0.1 > 2.0.0) 2021-09-27 15:52:17 BuiltIn
Monitoring 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138 [Deprecated]: Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.0 > 2.0.1) 2021-09-27 15:52:17 BuiltIn
Synapse ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee Configure Synapse workspaces to have auditing enabled To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
SQL Security Manager
Storage Account Contributor
change
 Major (1.1.0 > 2.0.0) 2021-09-27 15:52:17 BuiltIn
Kubernetes 13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759 [Deprecated]: Kubernetes clusters should gate deployment of vulnerable images This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-09-27 15:52:17 BuiltIn
Monitoring 69af7d4a-7b18-4044-93a9-2651498ef203 Configure Log Analytics extension on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch (2.0.0 > 2.0.1) 2021-09-27 15:52:17 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (7.0.0 > 7.0.1) 2021-09-27 15:52:17 BuiltIn
Monitoring a70ca396-0a34-413a-88e1-b956c1e683be [Deprecated]: Virtual machines should have the Log Analytics extension installed This policy definition is deprecated because of limited performance uplift possible and the usage of a legacy authentication model. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2021-09-27 15:52:17 BuiltIn
Guest Configuration 1e7fed80-8321-4605-b42c-65fc300f23a3 [Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-27 15:52:17 BuiltIn
Monitoring 842c54e8-c2f9-4d79-ae8d-38d8b8019373 [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2021-09-27 15:52:17 BuiltIn
Monitoring 32133ab0-ee4b-4b44-98d6-042180979d50 [Deprecated]: Log Analytics Extension should be enabled for listed virtual machine images This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) 2021-09-27 15:52:17 BuiltIn
Monitoring 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 [Deprecated]: Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
 Patch (2.0.0 > 2.0.1) 2021-09-27 15:52:17 BuiltIn
Compute 3d8640fc-63f6-4734-8dcb-cfd3d8c78f38 [Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs This policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace Fixed
deployIfNotExists 		count: 001
Log Analytics Contributor
change
 Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated) 2021-09-27 15:52:17 BuiltIn
Monitoring 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch (2.0.0 > 2.0.1) 2021-09-27 15:52:17 BuiltIn
Security Center a2ea54a3-9707-45e3-8230-bbda8309d17e [Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2021-09-27 15:52:17 BuiltIn
Storage 92a89a79-6c52-4a7e-a03f-61306fc49312 Storage accounts should prevent cross tenant object replication Audit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-09-27 15:52:17 BuiltIn
Security Center bdc59948-5574-49b3-bb91-76b7c986428d [Deprecated]: Azure Defender for DNS should be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 4da35fc9-c9e7-4960-aec9-797fe7d9051d. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2021-09-27 15:52:17 BuiltIn
Monitoring 053d3325-282c-4e5c-b944-24faffd30d77 Deploy Log Analytics extension for Linux VMs. See deprecation notice below Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Fixed
deployIfNotExists 		count: 001
Log Analytics Contributor
change
 Patch (2.0.0 > 2.0.1) 2021-09-27 15:52:17 BuiltIn
Network 2c89a2e5-7285-40fe-afe0-ae8654b92fab [Deprecated]: SSH access from the Internet should be blocked This policy is deprecated. This policy audits any network security rule that allows SSH access from Internet Default
Audit
Allowed
Audit, Disabled
change
 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2021-09-27 15:52:17 BuiltIn
Monitoring 3c1b3629-c8f8-4bf6-862c-037cb9094038 Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Virtual Machine Contributor
change
 Patch (2.0.0 > 2.0.1) 2021-09-27 15:52:17 BuiltIn
Guest Configuration 4078e558-bda6-41fb-9b3c-361e8875200d [Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-27 15:52:17 BuiltIn
Monitoring efbde977-ba53-4479-b8e9-10b957924fbf The Log Analytics extension should be installed on Virtual Machine Scale Sets This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.0 > 1.0.1) 2021-09-27 15:52:17 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Major, suffix remains equal (1.1.0-preview > 3.0.0-preview) 2021-09-27 15:52:17 BuiltIn
Network e372f825-a257-4fb8-9175-797a8a8627d6 [Deprecated]: RDP access from the Internet should be blocked This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet Default
Audit
Allowed
Audit, Disabled
change
 Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2021-09-27 15:52:17 BuiltIn
Monitoring 0868462e-646c-4fe3-9ced-a733534b6a2c Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch (2.0.0 > 2.0.1) 2021-09-27 15:52:17 BuiltIn
Network 98a2e215-5382-489e-bd29-32e7190a39ba Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace Deploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2021-09-27 15:52:17 BuiltIn
Key Vault 84d327c3-164a-4685-b453-900478614456 [Preview]: Configure Azure Key Vault Managed HSM to disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Default
Modify
Allowed
Modify, Disabled 		count: 001
Managed HSM contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-09-27 15:52:17 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.1 > 4.0.2) 2021-09-21 16:12:09 BuiltIn
Event Grid 8632b003-3545-4b29-85e6-b2b96773df1e Azure Event Grid partner namespaces should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-09-21 16:12:09 BuiltIn
Event Grid 8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1 Configure Azure Event Grid domains to disable local authentication Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Modify
Allowed
Modify, Disabled 		count: 001
EventGrid Contributor
add
 new Policy 2021-09-21 16:12:09 BuiltIn
Automation 30d1d58e-8f96-47a5-8564-499a3f3cca81 Configure Azure Automation account to disable local authentication Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-09-21 16:12:09 BuiltIn
Event Grid ae9fb87f-8a17-4428-94a4-8135d431055c Azure Event Grid topics should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-09-21 16:12:09 BuiltIn
Event Grid 2dd0e8b9-4289-4bb0-b813-1883298e9924 Configure Azure Event Grid partner namespaces to disable local authentication Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Modify
Allowed
Modify, Disabled 		count: 001
EventGrid Contributor
add
 new Policy 2021-09-21 16:12:09 BuiltIn
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-09-21 16:12:09 BuiltIn
Event Grid 1c8144d9-746a-4501-b08c-093c8d29ad04 Configure Azure Event Grid topics to disable local authentication Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Modify
Allowed
Modify, Disabled 		count: 001
EventGrid Contributor
add
 new Policy 2021-09-21 16:12:09 BuiltIn
Event Grid 8bfadddb-ee1c-4639-8911-a38cb8e0b3bd Azure Event Grid domains should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-09-21 16:12:09 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.0.1 > 4.0.0) 2021-09-21 16:12:09 BuiltIn
Automation 48c5f1cb-14ad-4797-8e3b-f78ab3f8d700 Azure Automation account should have local authentication method disabled Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-09-21 16:12:09 BuiltIn
Kubernetes 245fc9df-fa96-4414-9a0b-3738c2f7341c Resource logs in Azure Kubernetes Service should be enabled Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-21 16:12:09 BuiltIn
Security Center 13ce0167-8ca6-4048-8e6b-f996402e3c1b Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview) 2021-09-13 16:35:32 BuiltIn
Security Center 1f300abb-f5a0-41c3-a163-91bd3ed35de7 [Deprecated]: Azure Security agent should be installed on your Linux Arc machines Install the Azure Security agent on your Linux Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Security Center bb2c6c6d-14bc-4443-bef3-c6be0adc6076 [Deprecated]: Azure Security agent should be installed on your Windows virtual machines Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2021-09-13 16:35:32 BuiltIn
Monitoring 04d53d87-841c-4f23-8a5b-21564380b55e Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Major (1.0.0 > 2.0.0) 2021-09-13 16:35:32 BuiltIn
Security Center 62b52eae-c795-44e3-94e8-1b3d264766fb [Deprecated]: Azure Security agent should be installed on your Linux virtual machine scale sets Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Security Center 808a7dc4-49f2-4e7b-af75-d14e561c244a [Deprecated]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Security Center e8794316-d918-4565-b57d-6b38a06381a0 [Deprecated]: Azure Security agent should be installed on your Linux virtual machines Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Security Center 2f47ec78-4301-4655-b78e-b29377030cdc [Deprecated]: Configure supported Linux Arc machines to automatically install the Azure Security agent Configure supported Linux Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Linux Arc machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Security Center 0367cfc4-90b3-46ba-a8a6-ddd5d3514878 [Deprecated]: Azure Security agent should be installed on your Windows Arc machines Install the Azure Security agent on your Windows Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Security Center e16f967a-aa57-4f5e-89cd-8d1434d0a29a [Deprecated]: Azure Security agent should be installed on your Windows virtual machine scale sets Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Key Vault 84d327c3-164a-4685-b453-900478614456 [Preview]: Configure Azure Key Vault Managed HSM to disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Default
Modify
Allowed
Modify, Disabled 		count: 001
Managed HSM contributor
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Security Center 1537496a-b1e8-482b-a06a-1cc2415cdc7b [Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2021-09-13 16:35:32 BuiltIn
Security Center 0961003e-5a0a-4549-abde-af6a37f2724d [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.1 > 2.0.2) 2021-09-13 16:35:32 BuiltIn
Security Center 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 [Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (4.0.0-preview > 5.0.0-preview) 2021-09-13 16:35:32 BuiltIn
Security Center 6654c8c4-e6f8-43f8-8869-54327af7ce32 [Deprecated]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Security Center d01f3018-de9f-4d75-8dae-d12c1875da9f [Deprecated]: Configure supported Windows Arc machines to automatically install the Azure Security agent Configure supported Windows Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows Arc machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2021-09-13 16:35:32 BuiltIn
Bot Service 29261f8e-efdb-4255-95b8-8215414515d6 Configure BotService resources with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.0 > 3.0.1) 2021-09-08 15:39:57 BuiltIn
Internet of Things 9f8ba900-a70f-486e-9ffc-faf907305376 Configure Azure IoT Hub to disable local authentication Disable local authentication methods so that your Azure IoT Hub exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Bot Service ad5621d6-a877-4407-aa93-a950b428315e BotService resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your BotService resource, data leakage risks are reduced. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2021-09-08 15:39:57 BuiltIn
SignalR 702133e5-5ec5-4f90-9638-c78e22f13b39 Configure Azure SignalR Service to disable local authentication Disable local authentication methods so that your Azure SignalR Service exclusively requires Azure Active Directory identities for authentication. Default
Modify
Allowed
Modify, Disabled 		count: 001
SignalR/Web PubSub Contributor
add
 new Policy 2021-09-08 15:39:57 BuiltIn
App Service 847ef871-e2fe-4e6e-907e-4adbf71de5cf App Service app slots should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.0 > 3.0.1) 2021-09-08 15:39:57 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.0 > 3.0.1) 2021-09-08 15:39:57 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview) 2021-09-08 15:39:57 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (5.0.0 > 5.0.1) 2021-09-08 15:39:57 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2021-09-08 15:39:57 BuiltIn
App Service f493116f-3b7f-4ab3-bf80-0c2af35e46c2 Configure App Service app slots to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.0 > 3.0.1) 2021-09-08 15:39:57 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2021-09-08 15:39:57 BuiltIn
App Service 871b205b-57cf-4e1e-a234-492616998bf7 App Service apps should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-08 15:39:57 BuiltIn
App Service 5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2021-09-08 15:39:57 BuiltIn
App Service ec71c0bc-6a45-4b1f-9587-80dc83e6898c App Service app slots should have local authentication methods disabled for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2021-09-08 15:39:57 BuiltIn
Healthcare APIs fe1c9040-c46a-4e81-9aea-c7850fbb3aa6 CORS should not allow every domain to access your FHIR Service Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect. Default
Audit
Allowed
audit, Audit, disabled, Disabled
add
 new Policy 2021-09-08 15:39:57 BuiltIn
App Service 2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (3.0.0 > 3.0.1) 2021-09-08 15:39:57 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, suffix remains equal (3.0.0-preview > 3.0.1-preview) 2021-09-08 15:39:57 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2021-09-08 15:39:57 BuiltIn
App Service aede300b-d67f-480a-ae26-4b3dfb1a1fdc App Service apps should have local authentication methods disabled for SCM site deployments Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2021-09-08 15:39:57 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2021-09-08 15:39:57 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Extension for SQL Server Deployment
change
 Patch (1.0.0 > 1.0.1) 2021-09-08 15:39:57 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, suffix remains equal (3.0.0-preview > 3.0.1-preview) 2021-09-08 15:39:57 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2021-09-08 15:39:57 BuiltIn
App Service 572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Internet of Things 672d56b3-23a7-4a3c-a233-b77ed7777518 Azure IoT Hub should have local authentication methods disabled for Service Apis Disabling local authentication methods improves security by ensuring that Azure IoT Hub exclusively require Azure Active Directory identities for Service Api authentication. Learn more at: https://aka.ms/iothubdisablelocalauth. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Bot Service 6a4e6f44-f2af-4082-9702-033c9e88b9f8 Configure BotService resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-09-08 15:39:57 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview) 2021-09-08 15:39:57 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (4.0.0 > 4.0.1) 2021-09-08 15:39:57 BuiltIn
Key Vault bd78111f-4953-4367-9fd5-7e08808b54bf Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2021-08-30 14:27:30 BuiltIn
Key Vault 342e8053-e12e-4c44-be01-c3c2f318400f Secrets should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
API Management df73bd95-24da-4a4f-96b9-4e8b94b402bd API Management should disable public network access to the service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-08-30 14:27:30 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
 Major (1.0.0 > 2.0.0) 2021-08-30 14:27:30 BuiltIn
Security Center 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 [Deprecated]: Endpoint protection health issues should be resolved on your machines Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-08-30 14:27:30 BuiltIn
Key Vault 8e826246-c976-48f6-b03e-619bb92b3d82 Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2021-08-30 14:27:30 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.0.0 > 4.0.0) 2021-08-30 14:27:30 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.0.0 > 4.0.0) 2021-08-30 14:27:30 BuiltIn
Key Vault 75262d3e-ba4a-4f43-85f8-9f72c090e5e3 Secrets should have content type set A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
Key Vault 5ff38825-c5d8-47c5-b70e-069a21955146 Keys should have more than the specified number of days before expiration If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
Key Vault 75c4f823-d65c-4f29-a733-01d0077fdbcb Keys should be the specified cryptographic type RSA or EC Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
Storage 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751 Storage account public access should be disallowed Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major, suffix remains equal (2.0.1-preview > 3.0.1-preview) 2021-08-30 14:27:30 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major, suffix remains equal (2.1.0-preview > 3.0.0-preview) 2021-08-30 14:27:30 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (4.0.0 > 5.0.0) 2021-08-30 14:27:30 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.0.0 > 4.0.0) 2021-08-30 14:27:30 BuiltIn
Key Vault b0eb591a-5e70-4534-a8bf-04b9c489584a Secrets should have more than the specified number of days before expiration If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-08-30 14:27:30 BuiltIn
Key Vault e8d99835-8a06-45ae-a8e0-87a91941ccfe Secrets should not be active for longer than the specified number of days If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
API Management 7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2 Configure API Management services to disable access to API Management public service configuration endpoints To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
API Management Service Contributor
add
 new Policy 2021-08-30 14:27:30 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.0.0 > 4.0.0) 2021-08-30 14:27:30 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.0.0 > 7.0.0) 2021-08-30 14:27:30 BuiltIn
Key Vault f772fb64-8e40-40ad-87bc-7706e1949427 Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2021-08-30 14:27:30 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.0.0 > 4.0.0) 2021-08-30 14:27:30 BuiltIn
SQL f4c68484-132f-41f9-9b6d-3e4b1cb55036 Configure SQL servers to have auditing enabled To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
SQL Security Manager
Storage Account Contributor
change
 Major (2.0.0 > 3.0.0) 2021-08-30 14:27:30 BuiltIn
Key Vault 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0 Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.1-preview > 1.0.2) 2021-08-30 14:27:30 BuiltIn
Key Vault 12ef42cb-9903-4e39-9c26-422d29570417 Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2021-08-30 14:27:30 BuiltIn
Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-08-30 14:27:30 BuiltIn
Key Vault a22f4a40-01d3-4c7d-8071-da157eeff341 Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2021-08-30 14:27:30 BuiltIn
Key Vault ff25f3c8-b739-4538-9d07-3d6d25cfb255 Keys using elliptic curve cryptography should have the specified curve names Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-08-30 14:27:30 BuiltIn
Key Vault 587c79fe-dd04-4a5e-9d0b-f89598c7261b Keys should be backed by a hardware security module (HSM) An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
Key Vault 1151cede-290b-4ba0-8b38-0ad145ac888f Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2021-08-30 14:27:30 BuiltIn
Monitoring 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 Azure Monitor Private Link Scope should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-08-30 14:27:30 BuiltIn
Security Center 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 [Deprecated]: Endpoint protection should be installed on your machines To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-08-30 14:27:30 BuiltIn
Key Vault 82067dbb-e53b-4e06-b631-546d197452d9 Keys using RSA cryptography should have a specified minimum key size Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
Key Vault 98728c90-32c7-4049-8429-847dc0f4fe37 Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.1-preview > 1.0.2) 2021-08-30 14:27:30 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.0.0 > 4.0.0) 2021-08-30 14:27:30 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (3.0.0 > 4.0.0) 2021-08-30 14:27:30 BuiltIn
Key Vault 49a22571-d204-4c91-a7b6-09b1a586fbc9 Keys should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
Key Vault cee51871-e572-4576-855c-047c820360f0 Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch, old suffix: preview (2.0.0-preview > 2.0.1) 2021-08-30 14:27:30 BuiltIn
Key Vault c26e4b24-cf98-4c67-b48b-5a25c4c69eb9 Keys should not be active for longer than the specified number of days Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2021-08-30 14:27:30 BuiltIn
Security Center 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-08-23 14:26:16 BuiltIn
Kubernetes a1840de2-8088-4ea8-b153-b4c723e9cb01 Azure Kubernetes Service clusters should have Defender profile enabled Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-08-23 14:26:16 BuiltIn
Azure Ai Services 037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-08-23 14:26:16 BuiltIn
Security Center 6074e9a3-c711-4856-976d-24d51f9e065b [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-08-23 14:26:16 BuiltIn
Bot Service ffea632e-4e3a-4424-bf78-10e179bb2e1a Bot Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-23 14:26:16 BuiltIn
Cognitive Services db630ad5-52e9-4f4d-9c44-53912fe40053 Configure Cognitive Services accounts with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Cognitive Services Contributor
Network Contributor
change
 Major (1.0.0 > 2.0.0) 2021-08-23 14:26:16 BuiltIn
Key Vault d1d6d8bb-cc7c-420f-8c7d-6f6f5279a844 [Preview]: Configure Azure Key Vault Managed HSM with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Managed HSM contributor
Network Contributor
add
 new Policy 2021-08-23 14:26:16 BuiltIn
Security Center 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 [Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (3.0.0-preview > 4.0.0-preview) 2021-08-23 14:26:16 BuiltIn
SQL c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd Configure Azure Defender to be enabled on SQL managed instances Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Security Manager
change
 Major (1.0.0 > 2.0.0) 2021-08-23 14:26:16 BuiltIn
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca [Deprecated]: Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Major (1.0.1 > 2.0.0) 2021-08-23 14:26:16 BuiltIn
Security Center 95406fc3-1f69-47b0-8105-4c03b276ec5c [Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-08-23 14:26:16 BuiltIn
Cognitive Services cddd188c-4b82-4c48-a19d-ddf74ee66a01 [Deprecated]: Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
Audit
Allowed
Audit, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-08-23 14:26:16 BuiltIn
Storage bfecdea6-31c4-4045-ad42-71b9dc87247d Storage account encryption scopes should use double encryption for data at rest Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-23 14:26:16 BuiltIn
Key Vault 19ea9d63-adee-4431-a95e-1913c6c1c75f [Preview]: Azure Key Vault Managed HSM should disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-23 14:26:16 BuiltIn
Key Vault 59fee2f4-d439-4f1b-9b9a-982e1474bfd8 [Preview]: Azure Key Vault Managed HSM should use private link Private link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-08-23 14:26:16 BuiltIn
Storage 6fac406b-40ca-413b-bf8e-0bf964659c25 Storage accounts should use customer-managed key for encryption Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.2 > 1.0.3) 2021-08-23 14:26:16 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
add
 new Policy 2021-08-23 14:26:16 BuiltIn
Security Center 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-08-23 14:26:16 BuiltIn
Security Center a21f8c92-9e22-4f09-b759-50500d1d2dda [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-08-23 14:26:16 BuiltIn
Cognitive Services 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c Configure Cognitive Services accounts to disable public network access Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
Modify
Allowed
Disabled, Modify 		count: 001
Contributor
change
 Major (1.0.0 > 2.0.0) 2021-08-23 14:26:16 BuiltIn
0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 n/a n/a
remove
 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 2021-08-16 16:08:10 (i) BuiltIn
SQL 0a370ff3-6cab-4e85-8995-295fd854c5b8 SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-13 17:07:49 BuiltIn
Media Services 8bfe3603-0888-404a-87ff-5c1b6b4cc5e3 [Deprecated]: Azure Media Services accounts should disable public network access This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-13 17:07:49 BuiltIn
SQL 78215662-041e-49ed-a9dd-5385911b3a1f Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-13 17:07:49 BuiltIn
SQL ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-13 17:07:49 BuiltIn
SQL abda6d70-9778-44e7-84a8-06713e6db027 Azure SQL Database should have Microsoft Entra-only authentication enabled during creation Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-13 17:07:49 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.1.0 > 7.0.0) 2021-08-13 17:07:49 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2021-08-13 17:07:49 BuiltIn
Batch 4dbc2f5c-51cf-4e38-9179-c7028eed2274 Configure Batch accounts to disable local authentication Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-08-09 19:32:42 BuiltIn
Batch 6f68b69f-05fe-49cd-b361-777ee9ca7e35 Batch accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-09 19:32:42 BuiltIn
Container Registry 524b0254-c285-4903-bee6-bb8126cde579 Container registries should have exports disabled Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-09 19:32:42 BuiltIn
SQL fd2d1a6e-6d95-4df2-ad00-504bf0273406 [Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Azure Extension for SQL Server Deployment
add
 new Policy 2021-08-09 19:32:42 BuiltIn
Batch 1760f9d4-7206-436e-a28f-d9f3a5c8a227 Azure Batch pools should have disk encryption enabled Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2021-08-09 19:32:42 BuiltIn
SignalR f70eecba-335d-4bbc-81d5-5b17b03d498f Azure SignalR Service should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure SignalR Service exclusively require Azure Active Directory identities for authentication. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-09 19:32:42 BuiltIn
Kubernetes 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 Azure Kubernetes Service Clusters should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-08-09 19:32:42 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (2.1.0-preview > 3.0.0-preview) 2021-08-02 15:58:22 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (2.1.0-preview > 3.1.0-preview) 2021-08-02 15:58:22 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (2.1.0-preview > 3.0.0-preview) 2021-08-02 15:58:22 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-08-02 15:58:22 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-08-02 15:58:22 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-08-02 15:58:22 BuiltIn
Security Center ffb6f416-7bd2-4488-8828-56585fef2be9 Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major (3.0.0 > 4.0.0) 2021-07-30 15:17:20 BuiltIn
Storage 044985bb-afe1-42cd-8a36-9d5d42424537 Storage account keys should not be expired Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (2.0.0 > 3.0.0) 2021-07-30 15:17:20 BuiltIn
Monitoring 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 Configure Dependency agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Major (1.2.1 > 2.0.0) 2021-07-30 15:17:20 BuiltIn
Security Center b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d Configure Azure Defender for App Service to be enabled Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Security Center 509122b9-ddd9-47ba-a5f1-d0dac20be63c Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major (3.0.0 > 4.0.0) 2021-07-30 15:17:20 BuiltIn
Security Center 74c30959-af11-47b3-9ed2-a26e03f427a3 [Deprecated]: Configure Microsoft Defender for Storage (Classic) to be enabled Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts - please note that deprecation is for commercial cloud only. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Security Center 50ea7265-7d8c-429e-9a7d-ca1f410191c3 Configure Azure Defender for SQL servers on machines to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Security Center f1525828-9a90-4fcf-be48-268cdd02361e Deploy Workflow Automation for Microsoft Defender for Cloud alerts Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major (3.0.0 > 4.0.0) 2021-07-30 15:17:20 BuiltIn
Monitoring 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Major (1.2.0 > 2.0.0) 2021-07-30 15:17:20 BuiltIn
Backup af783da1-4ad1-42be-800d-d19c70038820 [Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2021-07-30 15:17:20 BuiltIn
Security Center 133047bf-1369-41e3-a3be-74a11ed1395a [Deprecated]: Configure Azure Defender for Kubernetes to be enabled Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Security Center d3d1e68e-49d4-4b56-acff-93cef644b432 [Deprecated]: Configure Azure Defender for container registries to be enabled Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Monitoring deacecc0-9f84-44d2-bb82-46f32d766d43 Configure Dependency agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Major (1.2.0 > 2.0.0) 2021-07-30 15:17:20 BuiltIn
Security Center b99b73e7-074b-4089-9395-b7236f094491 Configure Azure Defender for Azure SQL database to be enabled Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Azure Edge Hardware Center 08a6b96f-576e-47a2-8511-119a212d344d Azure Edge Hardware Center devices should have double encryption support enabled Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Network 21a6bc25-125e-4d13-b82d-2e19b7208ab7 VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Monitoring 69af7d4a-7b18-4044-93a9-2651498ef203 Configure Log Analytics extension on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Major (1.2.0 > 2.0.0) 2021-07-30 15:17:20 BuiltIn
Search 76a56461-9dc0-40f0-82f5-2453283afa2f Azure AI Search services should use customer-managed keys to encrypt data at rest Enabling encryption at rest using a customer-managed key on your Azure AI Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Security Center cdfcce10-4578-4ecd-9703-530938e4abcb Deploy export to Event Hub for Microsoft Defender for Cloud data Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major (3.0.0 > 4.0.0) 2021-07-30 15:17:20 BuiltIn
SQL 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 Configure Azure Defender to be enabled on SQL servers Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Fixed
DeployIfNotExists 		count: 001
SQL Security Manager
change
 Minor (2.0.0 > 2.1.0) 2021-07-30 15:17:20 BuiltIn
Security Center 73d6ab6c-2475-4850-afd6-43795f3492ef Deploy Workflow Automation for Microsoft Defender for Cloud recommendations Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Major (3.0.0 > 4.0.0) 2021-07-30 15:17:20 BuiltIn
Security Center b7021b2b-08fd-4dc0-9de7-3c6ece09faf9 Configure Azure Defender for Resource Manager to be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Monitoring d3ba9c42-9dd5-441a-957c-274031c750c0 Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. Default
Modify
Allowed
Modify, Disabled 		count: 001
Log Analytics Contributor
change
 Minor (1.0.0 > 1.1.0) 2021-07-30 15:17:20 BuiltIn
Security Center 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222 Configure Azure Defender for servers to be enabled Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Security Center 2370a3c1-4a25-4283-a91a-c9c1a145fb2f [Deprecated]: Configure Azure Defender for DNS to be enabled This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Backup deeddb44-9f94-4903-9fa0-081d524406e3 [Preview]: Azure Recovery Services vaults should use private link for backup Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. Default
Audit
Allowed
Audit, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-07-30 15:17:20 BuiltIn
SQL f4c68484-132f-41f9-9b6d-3e4b1cb55036 Configure SQL servers to have auditing enabled To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
SQL Security Manager
Storage Account Contributor
change
 Major (1.2.0 > 2.0.0) 2021-07-30 15:17:20 BuiltIn
SQL c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd Configure Azure Defender to be enabled on SQL managed instances Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL Security Manager
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Security Center 1f725891-01c0-420a-9059-4fa46cb770b7 Configure Microsoft Defender for Key Vault plan Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
add
 new Policy 2021-07-30 15:17:20 BuiltIn
Security Center 0a9fbe0d-c5c4-4da8-87d8-f4fd77338835 Azure Defender for open-source relational databases should be enabled Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-07-30 15:17:20 BuiltIn
SQL 17k78e20-9358-41c9-923c-fb736d382a12 Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-07-16 14:58:38 BuiltIn
SQL 86a912f6-9a06-4e26-b447-11b16ba8659f Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
SQL DB Contributor
change
 Major (1.0.0 > 2.0.0) 2021-07-16 14:58:38 BuiltIn
Cache 5d8094d7-7340-465a-b6fd-e60ab7e48920 Configure Azure Cache for Redis with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Redis Cache Contributor
add
 new Policy 2021-07-15 16:24:53 BuiltIn
Monitoring dddfa1af-dcd6-42f4-b5b0-e1db01e0b405 Configure Azure Application Insights components to disable public network access for log ingestion and querying Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Default
Modify
Allowed
Modify, Disabled 		count: 001
Application Insights Component Contributor
change
 Minor (1.0.0 > 1.1.0) 2021-07-15 16:24:53 BuiltIn
Cosmos DB 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default
Deny
Allowed
Audit, Deny, Disabled
change
 Major (1.0.1 > 2.0.0) 2021-07-15 16:24:53 BuiltIn
Security Center 0961003e-5a0a-4549-abde-af6a37f2724d [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.0 > 2.0.1) 2021-07-15 16:24:53 BuiltIn
Media Services b4a7f6c1-585e-4177-ad5b-c2c93f4bb991 [Deprecated]: Configure Azure Media Services to use private DNS zones This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Monitoring dddfa1af-dcd6-42f4-b5b0-e1db01e0b405 Configure Azure Application Insights components to disable public network access for log ingestion and querying Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Default
Modify
Allowed
Modify, Disabled 		count: 001
Application Insights Component Contributor
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Monitoring d3ba9c42-9dd5-441a-957c-274031c750c0 Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. Default
Modify
Allowed
Modify, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Cosmos DB dc2d41d1-4ab1-4666-a3e1-3d51c43e0049 Configure Cosmos DB database accounts to disable local authentication Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default
Modify
Allowed
Modify, Disabled 		count: 001
DocumentDB Account Contributor
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Security Center c3d20c29-b36d-48fe-808b-99a87530ad99 Azure Defender for Resource Manager should be enabled Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2021-07-07 15:26:31 BuiltIn
Media Services 4a591bf5-918e-4a5f-8dad-841863140d61 [Deprecated]: Azure Media Services should use private link This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Monitoring 437914ee-c176-4fff-8986-7e05eb971365 Configure Azure Monitor Private Link Scope to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Cosmos DB 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2 Cosmos DB database accounts should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Monitoring e8185402-357b-4768-8058-f620bc0ae6b5 Configure Azure Monitor Private Link Scopes with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Media Services c5632066-946d-4766-9544-cd79bcc1286e [Deprecated]: Configure Azure Media Services with private endpoints This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 002
Network Contributor
•unknown Id
add
 new Policy 2021-07-07 15:26:31 BuiltIn
App Service 546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-07-07 15:26:31 BuiltIn
App Service 687aa49d-0982-40f8-bf6b-66d1da97a04b App Service apps should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Service Bus ebaf4f25-a4e8-415f-86a8-42d9155bef0b Service Bus namespaces should have double encryption enabled Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Storage 044985bb-afe1-42cd-8a36-9d5d42424537 Storage account keys should not be expired Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-07-07 15:26:31 BuiltIn
Event Hub 836cd60e-87f3-4e6a-a27c-29d687f01a4c Event Hub namespaces should have double encryption enabled Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Monitoring 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6 Azure Monitor Private Link Scope should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-07-07 15:26:31 BuiltIn
Key Vault 951af2fa-529b-416e-ab6e-066fd85ac459 Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Patch (1.0.0 > 1.0.1) 2021-06-22 14:29:30 BuiltIn
App Service 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7 [Deprecated]: App Services should disable public network access Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-06-22 14:29:30 BuiltIn
Network 235359c5-7c52-4b82-9055-01c75cf9f60e [Deprecated]: Service Bus should use a virtual network service endpoint This policy audits any Service Bus not configured to use a virtual network service endpoint. The resource type Microsoft.ServiceBus/namespaces/virtualNetworkRules is deprecated in the latest API version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2021-06-22 14:29:30 BuiltIn
Security Center 1537496a-b1e8-482b-a06a-1cc2415cdc7b [Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-06-22 14:29:30 BuiltIn
Security Center 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 [Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-06-22 14:29:30 BuiltIn
App Service 91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 1.0.0) 2021-06-22 14:29:30 BuiltIn
App Service 2d048aca-6479-4923-88f5-e2ac295d9af3 App Service Environment apps should not be reachable over public internet To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-06-22 14:29:30 BuiltIn
App Service b318f84a-b872-429b-ac6d-a01b96814452 Configure App Service apps to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-06-22 14:29:30 BuiltIn
Monitoring 199d5677-e4d9-4264-9465-efe1839c06bd Application Insights components should block non-Azure Active Directory based ingestion. Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. Default
Audit
Allowed
Deny, Audit, Disabled
add
 new Policy 2021-06-22 14:29:30 BuiltIn
App Service d79ab062-dffd-4318-8344-f70de714c0bc [Deprecated]: App Service should disable public network access Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2021-06-22 14:29:30 BuiltIn
Monitoring e15effd4-2278-4c65-a0da-4d6f6d1890e2 Log Analytics Workspaces should block non-Azure Active Directory based ingestion. Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. Default
Audit
Allowed
Deny, Audit, Disabled
add
 new Policy 2021-06-22 14:29:30 BuiltIn
Monitoring 0c4bd2e8-8872-4f37-a654-03f6f38ddc76 Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger. To support private link and customer-managed key policies, create your own storage account for profiler and debugger. Learn more in https://docs.microsoft.com/azure/azure-monitor/app/profiler-bring-your-own-storage Default
Audit
Allowed
Deny, Audit, Disabled
add
 new Policy 2021-06-22 14:29:30 BuiltIn
App Service 817dcf37-e83d-4999-a472-644eada2ea1e App Service Environment should be configured with strongest TLS Cipher suites The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-06-22 14:29:30 BuiltIn
Monitoring 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 Configure Log Analytics workspace and automation account to centralize logs and monitoring Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-06-22 14:29:30 BuiltIn
Security Center 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28 [Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-06-22 14:29:30 BuiltIn
Storage 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54 Storage accounts should prevent shared key access Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-06-22 14:29:30 BuiltIn
App Service 81dff7c0-4020-4b58-955d-c076a2136b56 [Deprecated]: Configure App Services to disable public network access Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Website Contributor
add
 new Policy 2021-06-22 14:29:30 BuiltIn
App Service 72d04c29-f87d-4575-9731-419ff16a2757 App Service apps should be injected into a virtual network Injecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-06-22 14:29:30 BuiltIn
App Service eb4d34ab-0929-491c-bbf3-61e13da19f9a App Service Environment should be provisioned with latest versions Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-06-22 14:29:30 BuiltIn
Key Vault cf820ca0-f99e-4f3e-84fb-66e913812d21 Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (4.0.1 > 5.0.0) 2021-06-17 14:24:41 BuiltIn
Search b4330a05-a843-4bc8-bf9a-cacce50c67f4 Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (4.0.1 > 5.0.0) 2021-06-17 14:24:41 BuiltIn
Logic Apps 34f95f76-5386-4de7-b824-0d8478470c9d Resource logs in Logic Apps should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (4.0.1 > 5.0.0) 2021-06-17 14:24:41 BuiltIn
Batch 428256e6-1fac-4f48-a757-df34c2b3336d Resource logs in Batch accounts should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (4.0.1 > 5.0.0) 2021-06-17 14:24:41 BuiltIn
Data Lake c95c74d9-38fe-4f0d-af86-0c7d626a315c Resource logs in Data Lake Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (4.0.1 > 5.0.0) 2021-06-17 14:24:41 BuiltIn
App Service 91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service apps should have resource logs enabled Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-06-17 14:24:41 BuiltIn
Stream Analytics f9be5368-9bf5-4b84-9e0a-7850da98bb46 Resource logs in Azure Stream Analytics should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (4.0.1 > 5.0.0) 2021-06-17 14:24:41 BuiltIn
Data Lake 057ef27e-665e-4328-8ea3-04b3122bd9fb Resource logs in Azure Data Lake Store should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (4.0.1 > 5.0.0) 2021-06-17 14:24:41 BuiltIn
Service Bus f8d36e2f-389b-4ee4-898d-21aeb69a0f45 Resource logs in Service Bus should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (4.0.1 > 5.0.0) 2021-06-17 14:24:41 BuiltIn
Event Hub 83a214f7-d01a-484b-91a9-ed54470c9a6a Resource logs in Event Hub should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (4.0.1 > 5.0.0) 2021-06-17 14:24:41 BuiltIn
Container Registry 79fdfe03-ffcb-4e55-b4d0-b925b8241759 Configure container registries to disable local admin account. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-06-15 14:05:41 BuiltIn
Container Registry dc921057-6b28-4fbe-9b83-f7bec05db6c2 Container registries should have local admin account disabled. Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-06-15 14:05:41 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0) 2021-06-15 14:05:41 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0) 2021-06-15 14:05:41 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0) 2021-06-15 14:05:41 BuiltIn
Kubernetes 440b515e-a580-421e-abeb-b159a61ddcbc [Deprecated]: Kubernetes cluster containers should only listen on allowed ports Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.1.0 > 6.1.1) 2021-06-08 15:17:13 BuiltIn
Key Vault 0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.1.1 > 2.0.0) 2021-06-08 15:17:13 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Patch (6.1.0 > 6.1.1) 2021-06-08 15:17:13 BuiltIn
Key Vault 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.2 > 2.0.0) 2021-06-08 15:17:13 BuiltIn
Security Center 95406fc3-1f69-47b0-8105-4c03b276ec5c [Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-06-08 15:17:13 BuiltIn
Security Center 7cb1b219-61c6-47e0-b80c-4472cadeeb5f [Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-06-08 15:17:13 BuiltIn
SQL abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (2.0.0 > 2.0.1) 2021-06-08 15:17:13 BuiltIn
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled or public network access disabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs or disable public network access for your key vault so that it's not accessible over the public internet. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security and https://aka.ms/akvprivatelink Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major, suffix remains equal (1.1.0-preview > 2.0.0-preview) 2021-06-08 15:17:13 BuiltIn
Security Center e494853f-93c3-4e44-9210-d12f61a64b34 [Preview]: Configure supported virtual machines to automatically enable vTPM Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-06-08 15:17:13 BuiltIn
SQL 6134c3db-786f-471e-87bc-8f479dc890f6 Deploy Advanced Data Security on SQL servers This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. Fixed
DeployIfNotExists 		count: 002
SQL Security Manager
Storage Account Contributor
change
 Minor (1.1.0 > 1.2.0) 2021-06-08 15:17:13 BuiltIn
SQL abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.1 > 1.0.2) 2021-06-08 15:17:13 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major (1.0.0 > 2.0.0) 2021-06-02 22:44:52 BuiltIn
Monitoring 17b3de92-f710-4cf4-aa55-0e7859f1ed7b [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Contributor
Managed Identity Operator
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-06-02 22:44:52 BuiltIn
Security Center 2ada9901-073c-444a-9a9a-91865174f0aa [Preview]: Configure Azure Defender for SQL agent on virtual machine Configure Windows machines to automatically install the Azure Defender for SQL agent where the Azure Monitor Agent is installed. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. Target virtual machines must be in a supported location. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-06-02 22:44:52 BuiltIn
Security Center 15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554 Log Analytics agent should be installed on your Cloud Services (extended support) role instances Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-06-02 22:44:52 BuiltIn
Kubernetes d2e7ea85-6b44-4317-a0be-1b951587f626 Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2021-06-02 22:44:52 BuiltIn
Security Center 1537496a-b1e8-482b-a06a-1cc2415cdc7b [Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-06-02 22:44:52 BuiltIn
App Configuration 72bc14af-4ab8-43af-b4e4-38e7983f9a1f Configure App Configuration stores to disable local authentication methods Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-06-02 22:44:52 BuiltIn
Network b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.0.0 > 3.0.0) 2021-06-02 22:44:52 BuiltIn
App Configuration b08ab3ca-1062-4db3-8803-eec9cae605d6 App Configuration stores should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-06-02 22:44:52 BuiltIn
Cognitive Services 14de9e63-1b31-492e-a5a3-c3f7fd57f555 Configure Cognitive Services accounts to disable local authentication methods Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-06-02 22:44:52 BuiltIn
Azure Ai Services 71ef260a-8f18-47b7-abcb-62d0673d94dc Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-06-02 22:44:52 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Site Recovery 942bd215-1a66-44be-af65-6a1c0318dbe2 [Preview]: Configure Azure Recovery Services vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Recovery Services Vaults. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Web PubSub 1b9c0b58-fc7b-42c8-8010-cdfa1d1b8544 Configure Azure Web PubSub Service with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Network Contributor
SignalR/Web PubSub Contributor
add
 new Policy 2021-05-26 13:43:16 BuiltIn
SQL 18adea5e-f416-4d0f-8aa8-d24321e3e274 PostgreSQL servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.3 > 1.0.4) 2021-05-26 13:43:16 BuiltIn
Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-05-26 13:43:16 BuiltIn
Backup af783da1-4ad1-42be-800d-d19c70038820 [Preview]: Configure Recovery Services vaults to use private DNS zones for backup Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Guest Configuration 3e4e2bd5-15a2-4628-b3e1-58977e9793f3 Audit Windows machines that do not have the specified Windows PowerShell modules installed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-05-26 13:43:16 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2021-05-26 13:43:16 BuiltIn
App Service d79ab062-dffd-4318-8344-f70de714c0bc [Deprecated]: App Service should disable public network access Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Web PubSub 82909236-25f3-46a6-841c-fe1020f95ae1 Azure Web PubSub Service should use a SKU that supports private link With supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Site Recovery 11e3da8c-1d68-4392-badd-0ff3c43ab5b0 [Preview]: Recovery Services vaults should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links for Azure Site Recovery at: https://aka.ms/HybridScenarios-PrivateLink and https://aka.ms/AzureToAzure-PrivateLink. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0) 2021-05-26 13:43:16 BuiltIn
Monitoring 94c1f94d-33b0-4062-bd04-1cdc3e7eece2 Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys Ensure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. Default
Audit
Allowed
Audit, Disabled, Deny
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Security Center b1bb3592-47b8-4150-8db0-bfdcc2c8965b [Preview]: Linux virtual machines should use Secure Boot To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Web PubSub 0b026355-49cb-467b-8ac4-f777874e175a Configure Azure Web PubSub Service to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Site Recovery e95a8a5c-0987-421f-84ab-df4d88ebf7d1 [Preview]: Configure private endpoints on Azure Recovery Services vaults Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your site recovery resources of Recovery Services vaults, you can reduce data leakage risks. To use private links, managed service identity must be assigned to Recovery Services Vaults. Learn more about private links at: https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Network Contributor
Site Recovery Contributor
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Web PubSub 5b1213e4-06e4-4ccc-81de-4201f2f7131a Configure Azure Web PubSub Service to disable public network access Disable public network access for your Azure Web PubSub resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/awps/networkacls. Default
Modify
Allowed
Modify, Disabled 		count: 001
SignalR/Web PubSub Contributor
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Web PubSub 52630df9-ca7e-442b-853b-c6ce548b31a2 [Deprecated]: Azure Web PubSub Service should use private link The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/eb907f70-7514-460d-92b3-a5ae93b4f917 instead. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Web PubSub bf45113f-264e-4a87-88f9-29ac8a0aca6a Azure Web PubSub Service should disable public network access Disabling public network access improves security by ensuring that Azure Web PubSub service isn't exposed on the public internet. Creating private endpoints can limit exposure of Azure Web PubSub service. Learn more at: https://aka.ms/awps/networkacls. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-05-26 13:43:16 BuiltIn
Security Center f6358610-e532-4236-b178-4c65865eb262 [Preview]: Virtual machines guest attestation status should be healthy Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection. This assessment only applies to Trusted Launch enabled virtual machines that have Guest Attestation extension installed. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-05-26 13:43:16 BuiltIn
SQL 83cef61d-dbd1-4b20-a4fc-5fbc7da10833 MySQL servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch (1.0.3 > 1.0.4) 2021-05-26 13:43:16 BuiltIn
Media Services ccf93279-9c91-4143-a841-8d1f21505455 [Deprecated]: Azure Media Services accounts that allow access to the legacy v2 API should be blocked This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-05-18 14:34:48 BuiltIn
Monitoring f47b5582-33ec-4c5c-87c0-b010a6b2e917 [Deprecated]: Virtual machines should be connected to a specified workspace This policy definition is deprecated because OMS Agent has been deprecation on August 31, 2024. While there is not a specific replacement policy, we have various policies available based on the VM setup that can be found under Azure Monitor Agent/DCRA Linux. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
 Minor (1.0.1 > 1.1.0) 2021-05-18 14:34:48 BuiltIn
Network 5e1cd26a-5090-4fdb-9d6a-84a90335e22d Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-05-18 14:34:48 BuiltIn
Media Services e9914afe-31cd-4b8a-92fa-c887f847d477 [Deprecated]: Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2021-05-18 14:34:48 BuiltIn
Azure Active Directory 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7 Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2021-05-18 14:34:48 BuiltIn
Synapse 38d8df46-cf4e-4073-8e03-48c24b29de0d Azure Synapse workspaces should disable public network access Disabling public network access improves security by ensuring that the Synapse workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your Synapse workspaces. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-05-18 14:34:48 BuiltIn
Network 2f080164-9f4d-497e-9db6-416dc9f7b48a Network Watcher flow logs should have traffic analytics enabled Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-05-18 14:34:48 BuiltIn
Media Services a77d8bb4-8d22-4bc1-a884-f582a705b480 [Deprecated]: Azure Media Services accounts should use an API that supports Private Link This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-05-18 14:34:48 BuiltIn
Media Services daccf7e4-9808-470c-a848-1c5b582a1afb [Deprecated]: Azure Media Services content key policies should use token authentication This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-05-18 14:34:48 BuiltIn
Guest Configuration f79fef0d-0050-4c18-a303-5babb9c14ac7 Windows machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-05-18 14:34:48 BuiltIn
Guest Configuration 73db37c4-f180-4b0f-ab2c-8ee96467686b Linux machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-05-18 14:34:48 BuiltIn
Network e920df7f-9a64-4066-9b58-52684c02a091 Configure network security groups to enable traffic analytics Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-05-18 14:34:48 BuiltIn
Synapse 5c8cad01-ef30-4891-b230-652dadb4876a Configure Azure Synapse workspaces to disable public network access Disable public network access for your Synapse workspace so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-05-18 14:34:48 BuiltIn
Guest Configuration fc9b3da7-8347-4380-8e70-0a0361d8dedd Linux machines should meet requirements for the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2021-05-11 14:06:18 BuiltIn
Monitoring 41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-05-11 14:06:18 BuiltIn
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-05-11 14:06:18 BuiltIn
Guest Configuration 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview) 2021-05-11 14:06:18 BuiltIn
Monitoring 6c53d030-cc64-46f0-906d-2bc061cd1334 Log Analytics workspaces should block log ingestion and querying from public networks Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
add
 new Policy 2021-05-11 14:06:18 BuiltIn
SQL 80ed5239-4122-41ed-b54a-6f1fa7552816 Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-05-11 14:06:18 BuiltIn
Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-05-11 14:06:18 BuiltIn
SQL a6cf7411-da9e-49e2-aec0-cba0250eaf8c Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-05-11 14:06:18 BuiltIn
Guest Configuration 331e8ea8-378a-410f-a2e5-ae22f38bb0da Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2021-05-11 14:06:18 BuiltIn
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-05-11 14:06:18 BuiltIn
SQL db048e65-913c-49f9-bb5f-1084184671d3 Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-05-11 14:06:18 BuiltIn
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.1.0 > 3.0.0) 2021-05-11 14:06:18 BuiltIn
Guest Configuration 385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed
deployIfNotExists 		count: 001
Contributor
change
 Patch (1.0.0 > 1.0.1) 2021-05-11 14:06:18 BuiltIn
Compute bc05b96c-0b36-4ca9-82f0-5c53f96ce05a Configure disk access resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-05-11 14:06:18 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major (6.0.0 > 7.0.0) 2021-05-11 14:06:18 BuiltIn
Monitoring 1bc02227-0cb6-4e11-8f53-eb0b22eab7e8 Application Insights components should block log ingestion and querying from public networks Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
add
 new Policy 2021-05-11 14:06:18 BuiltIn
Storage 044985bb-afe1-42cd-8a36-9d5d42424537 Storage account keys should not be expired Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-05-11 14:06:18 BuiltIn
SQL 9a7c7a7d-49e5-4213-bea8-6a502b6272e0 Deploy Diagnostic Settings for Azure SQL Database to Event Hub Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. Fixed
DeployIfNotExists 		count: 001
Contributor
change
 Minor (1.1.0 > 1.2.0) 2021-05-11 14:06:18 BuiltIn
Security Center 13ce0167-8ca6-4048-8e6b-f996402e3c1b Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2021-05-04 14:34:06 BuiltIn
Security Center 6074e9a3-c711-4856-976d-24d51f9e065b [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-05-04 14:34:06 BuiltIn
Storage b5ec538c-daa0-4006-8596-35468b9148e8 Storage account encryption scopes should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-05-04 14:34:06 BuiltIn
Bot Service 52152f42-0dda-40d9-976e-abb1acdd611e Bot Service should have isolated mode enabled Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
add
 new Policy 2021-05-04 14:34:06 BuiltIn
Security Center f655e522-adff-494d-95c2-52d4f6d56a42 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-05-04 14:34:06 BuiltIn
Security Center a21f8c92-9e22-4f09-b759-50500d1d2dda [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-05-04 14:34:06 BuiltIn
Security Center 97566dd7-78ae-4997-8b36-1c7bfe0d8121 [Preview]: Secure Boot should be enabled on supported Windows virtual machines Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-05-04 14:34:06 BuiltIn
Security Center 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 [Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default
Disabled
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-05-04 14:34:06 BuiltIn
Monitoring 17b3de92-f710-4cf4-aa55-0e7859f1ed7b [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default
Modify
Allowed
Modify, Disabled 		count: 003
Managed Identity Contributor
Managed Identity Operator
Virtual Machine Contributor
change
 Major, suffix remains equal (1.2.0-preview > 2.0.0-preview) 2021-05-04 14:34:06 BuiltIn
Security Center c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-05-04 14:34:06 BuiltIn
Security Center 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-05-04 14:34:06 BuiltIn
App Service 7261b898-8a84-4db8-9e04-18527132abb3 App Service apps that use PHP should use a specified 'PHP version' Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2021-05-04 14:34:06 BuiltIn
Security Center 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Virtual Machine Contributor
add
 new Policy 2021-05-04 14:34:06 BuiltIn
Media Services e9914afe-31cd-4b8a-92fa-c887f847d477 [Deprecated]: Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Deny, Disabled
add
 new Policy 2021-05-04 14:34:06 BuiltIn
App Service 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2021-05-04 14:34:06 BuiltIn
Security Center 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3 [Preview]: vTPM should be enabled on supported virtual machines Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-05-04 14:34:06 BuiltIn
Security Center 1cb4d9c2-f88f-4069-bee0-dba239a57b09 [Preview]: Guest Attestation extension should be installed on supported Windows virtual machines Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-05-04 14:34:06 BuiltIn
App Service d6545c6b-dd9d-4265-91e6-0b451e2f1c50 App Service Environment should have TLS 1.0 and 1.1 disabled TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-05-04 14:34:06 BuiltIn
Security Center 5a913c68-0590-402c-a531-e57e19379da3 [Deprecated]: Operating system version should be the most current version for your cloud service roles Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2021-05-04 14:34:06 BuiltIn
Security Center 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff [Preview]: Guest Attestation extension should be installed on supported Linux virtual machines Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-05-04 14:34:06 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (2.0.0 > 3.0.0) 2021-04-27 15:38:15 BuiltIn
Monitoring 2465583e-4e78-4c15-b6be-a36cbc7c8b0f Configure Azure Activity logs to stream to specified Log Analytics workspace Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
add
 new Policy 2021-04-27 15:38:15 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-04-27 15:38:15 BuiltIn
Monitoring deacecc0-9f84-44d2-bb82-46f32d766d43 Configure Dependency agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, old suffix: preview (1.1.0-preview > 1.2.0) 2021-04-27 15:38:15 BuiltIn
Security Center 15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554 Log Analytics agent should be installed on your Cloud Services (extended support) role instances Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-04-27 15:38:15 BuiltIn
App Service 33228571-70a4-4fa1-8ca1-26d0aba8d6ef [Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-04-27 15:38:15 BuiltIn
Security Center 1e378679-f122-4a96-a739-a7729c46e1aa [Deprecated]: Cloud Services (extended support) role instances should have an endpoint protection solution installed Protect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them. Default
Disabled
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-04-27 15:38:15 BuiltIn
Security Center 4df26ba8-026d-45b0-9521-bffa44d741d2 Cloud Services (extended support) role instances should have system updates installed Secure your Cloud Services (extended support) role instances by ensuring the latest security and critical updates are installed on them. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-04-27 15:38:15 BuiltIn
Monitoring 69af7d4a-7b18-4044-93a9-2651498ef203 Configure Log Analytics extension on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, old suffix: preview (1.1.0-preview > 1.2.0) 2021-04-27 15:38:15 BuiltIn
SQL 6134c3db-786f-471e-87bc-8f479dc890f6 Deploy Advanced Data Security on SQL servers This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. Fixed
DeployIfNotExists 		count: 002
SQL Security Manager
Storage Account Contributor
change
 Minor (1.0.0 > 1.1.0) 2021-04-27 15:38:15 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-04-27 15:38:15 BuiltIn
Security Center a0c11ca4-5828-4384-a2f2-fd7444dd5b4d Cloud Services (extended support) role instances should be configured securely Protect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-04-27 15:38:15 BuiltIn
Automanage 270610db-8c04-438a-a739-e8e6745b22d3 [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Minor (4.0.0 > 4.1.0) 2021-04-27 15:38:15 BuiltIn
SQL 7ea8a143-05e3-4553-abfe-f56bef8b0b70 Configure Azure SQL database servers diagnostic settings to Log Analytics workspace Enables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
SQL Security Manager
change
 Patch (1.0.1 > 1.0.2) 2021-04-27 15:38:15 BuiltIn
App Service d6545c6b-dd9d-4265-91e6-0b451e2f1c50 App Service Environment should have TLS 1.0 and 1.1 disabled TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-04-27 15:38:15 BuiltIn
App Service fb74e86f-d351-4b8d-b034-93da7391c01f App Service Environment should have internal encryption enabled Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-04-27 15:38:15 BuiltIn
SQL b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13 SQL Database should avoid using GRS backup redundancy Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Default
Deny
Allowed
Deny, Disabled
change
 Major (1.0.1 > 2.0.0) 2021-04-27 15:38:15 BuiltIn
Monitoring 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, old suffix: preview (1.1.0-preview > 1.2.0) 2021-04-27 15:38:15 BuiltIn
Monitoring 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 Configure Dependency agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Patch (1.2.0 > 1.2.1) 2021-04-27 15:38:15 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major, suffix remains equal (2.0.0-preview > 3.0.0-preview) 2021-04-27 15:38:15 BuiltIn
Guest Configuration 5752e6d6-1206-46d8-8ab1-ecc2f71a8112 Windows machines should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.0 > 2.1.0) 2021-04-21 13:28:46 BuiltIn
Cognitive Services 11566b39-f7f7-4b82-ab06-68d8700eb0a4 [Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption. This policy is deprecated. Cognitive Services have data encryption enforced. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Major, new suffix: deprecated (1.0.0 > 2.0.0-deprecated) 2021-04-21 13:28:46 BuiltIn
Cognitive Services db630ad5-52e9-4f4d-9c44-53912fe40053 Configure Cognitive Services accounts with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Cognitive Services Contributor
Network Contributor
add
 new Policy 2021-04-21 13:28:46 BuiltIn
Key Vault a6abeaec-4d90-4a02-805f-6b26c4d3fbe9 Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-04-21 13:28:46 BuiltIn
Backup 2e94d99a-8a36-4563-bc77-810d8893b671 [Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-04-21 13:28:46 BuiltIn
Azure Active Directory 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7 Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-04-21 13:28:46 BuiltIn
Cognitive Services c4bc6f10-cb41-49eb-b000-d5ab82e2a091 Configure Cognitive Services accounts to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-04-21 13:28:46 BuiltIn
Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 Azure Key Vault should have firewall enabled or public network access disabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs or disable public network access for your key vault so that it's not accessible over the public internet. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security and https://aka.ms/akvprivatelink Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor, suffix remains equal (1.0.2-preview > 1.1.0-preview) 2021-04-21 13:28:46 BuiltIn
Key Vault 9d4fad1f-5189-4a42-b29e-cf7929c6b6df Configure Azure Key Vaults with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Key Vault Contributor
Network Contributor
add
 new Policy 2021-04-21 13:28:46 BuiltIn
Cognitive Services cddd188c-4b82-4c48-a19d-ddf74ee66a01 [Deprecated]: Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-04-21 13:28:46 BuiltIn
Key Vault ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-04-21 13:28:46 BuiltIn
Cognitive Services 2bdd0062-9d75-436e-89df-487dd8e4b3c7 [Deprecated]: Cognitive Services accounts should enable data encryption This policy is deprecated. Cognitive Services have data encryption enforced. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Major, new suffix: deprecated (1.0.0 > 2.0.0-deprecated) 2021-04-21 13:28:46 BuiltIn
Backup 013e242c-8828-4970-87b3-ab247555486d Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.1 > 2.0.0) 2021-04-21 13:28:46 BuiltIn
Key Vault ac673a9a-f77d-4846-b2d8-a57f8e1c01dc Configure key vaults to enable firewall Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security Default
Modify
Allowed
Modify, Disabled 		count: 001
Key Vault Contributor
add
 new Policy 2021-04-21 13:28:46 BuiltIn
Automanage 270610db-8c04-438a-a739-e8e6745b22d3 [Deprecated]: Configure virtual machines to be onboarded to Azure Automanage Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
change
 Major (3.0.0 > 4.0.0) 2021-04-13 13:28:43 BuiltIn
Data Factory 8b0323be-cc25-4b61-935d-002c3798c6ea Azure Data Factory should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-04-13 13:28:43 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-04-07 13:27:17 BuiltIn
Compute 582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5 Configure disk access resources with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-04-07 13:27:17 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-04-07 13:27:17 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major (1.1.0 > 2.0.0) 2021-04-07 13:27:17 BuiltIn
Compute 8405fdab-1faf-48aa-b702-999c9c172094 Managed disks should disable public network access Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-04-07 13:27:17 BuiltIn
Data Factory 86cd96e1-1745-420d-94d4-d3f2fe415aa4 Configure private DNS zones for private endpoints that connect to Azure Data Factory Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-04-07 13:27:17 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 002
Backup Contributor
Virtual Machine Contributor
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-04-07 13:27:17 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2021-04-07 13:27:17 BuiltIn
Data Factory 08b1442b-7789-4130-8506-4f99a97226a7 Configure Data Factories to disable public network access Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
Modify
Allowed
Modify, Disabled 		count: 001
Data Factory Contributor
add
 new Policy 2021-04-07 13:27:17 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2021-04-07 13:27:17 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview) 2021-04-07 13:27:17 BuiltIn
Compute f39f5f49-4abf-44de-8c70-0756997bfb51 Disk access resources should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-04-07 13:27:17 BuiltIn
Compute 8426280e-b5be-43d9-979e-653d12a08638 Configure managed disks to disable public network access Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-04-07 13:27:17 BuiltIn
Data Factory 496ca26b-f669-4322-a1ad-06b7b5e41882 Configure private endpoints for Data factories Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Data Factory Contributor
Network Contributor
add
 new Policy 2021-04-07 13:27:17 BuiltIn
Machine Learning 1d413020-63de-11ea-bc55-0242ac130003 [Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-03-31 14:35:06 BuiltIn
VM Image Builder 2154edb9-244f-4741-9970-660785bccdaa VM Image Builder templates should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Minor (1.0.1 > 1.1.0) 2021-03-31 14:35:06 BuiltIn
Machine Learning 53c70b02-63dd-11ea-bc55-0242ac130003 [Preview]: Configure allowed module authors for specified Azure Machine Learning computes Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (1.0.1-preview > 2.0.0-preview) 2021-03-31 14:35:06 BuiltIn
Guest Configuration 480d0f91-30af-4a76-9afb-f5710ac52b09 Private endpoints for Guest Configuration assignments should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-03-31 14:35:06 BuiltIn
Monitoring 752154a7-1e0f-45c6-a880-ac75a7e4f648 Public IP addresses should have resource logs enabled for Azure DDoS Protection Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
add
 new Policy 2021-03-31 14:35:06 BuiltIn
SQL f4c68484-132f-41f9-9b6d-3e4b1cb55036 Configure SQL servers to have auditing enabled To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
SQL Security Manager
Storage Account Contributor
change
 Minor (1.1.0 > 1.2.0) 2021-03-31 14:35:06 BuiltIn
Machine Learning 5853517a-63de-11ea-bc55-0242ac130003 [Preview]: Configure allowed registries for specified Azure Machine Learning computes Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-03-31 14:35:06 BuiltIn
Synapse ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee Configure Synapse workspaces to have auditing enabled To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
SQL Security Manager
Storage Account Contributor
change
 Minor (1.0.0 > 1.1.0) 2021-03-31 14:35:06 BuiltIn
Machine Learning 77eeea86-7e81-4a7d-9067-de844d096752 [Preview]: Configure allowed Python packages for specified Azure Machine Learning computes Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-03-31 14:35:06 BuiltIn
Network 94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d Virtual networks should be protected by Azure DDoS Protection Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs. Default
Modify
Allowed
Modify, Audit, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-03-31 14:35:06 BuiltIn
Search 0fda3595-9f2b-4592-8675-4231d6fa82fe [Deprecated]: Azure AI Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AI Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-03-31 14:35:06 BuiltIn
Machine Learning 6a6f7384-63de-11ea-bc55-0242ac130003 [Preview]: Configure code signing for training code for specified Azure Machine Learning computes Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-03-31 14:35:06 BuiltIn
Machine Learning 3948394e-63de-11ea-bc55-0242ac130003 [Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default
enforceSetting
Allowed
enforceSetting, disabled
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-03-31 14:35:06 BuiltIn
Search b698b005-b660-4837-b833-a7aaab26ddba Configure Azure AI Search services with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure AI Search service, you can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Network Contributor
Search Service Contributor
add
 new Policy 2021-03-31 14:35:06 BuiltIn
SignalR ef45854f-b33f-49a3-8041-9057e915d88f Configure private endpoints to Azure SignalR Service Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure SignalR Service resources, you can reduce data leakage risks. Learn more at https://aka.ms/asrs/privatelink. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Network Contributor
SignalR/Web PubSub Contributor
add
 new Policy 2021-03-31 14:35:06 BuiltIn
SQL 89099bee-89e0-4b26-a5f4-165451757743 SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (2.1.0 > 3.0.0) 2021-03-24 14:32:48 BuiltIn
Kubernetes 8dfab9c4-fe7b-49ad-85e4-1e9be085358f [Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-03-24 14:32:48 BuiltIn
Storage 970f84d8-71b6-4091-9979-ace7e3fb6dbb HPC Cache accounts should use customer-managed key for encryption Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
Audit
Allowed
Audit, Disabled, Deny
change
 Major (1.0.0 > 2.0.0) 2021-03-24 14:32:48 BuiltIn
Storage 6f8f98a4-f108-47cb-8e98-91a0d85cd474 [Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace Deprecated: This policy did not evaluate correctly and has been separated into policies for each of the nested resources. Please see new policies for storage accounts (id: /providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef), blob services (b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb), file (25a70cc8-2bd4-47f1-90b6-1478e4662c96), queue (7bd000e3-37c7-4928-9f31-86c4b77c5c45), and table (2fb86bf3-d221-43d1-96d1-2434af34eaa0). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Log Analytics Contributor
Monitoring Contributor
change
 Minor (1.1.0 > 1.3.0) 2021-03-24 14:32:48 BuiltIn
Machine Learning 40cec1dd-a100-4920-b15b-3024fe8901ab [Deprecated]: Azure Machine Learning workspaces should use private link This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.0 > 1.1.0) 2021-03-24 14:32:48 BuiltIn
Cognitive Services 46aa9b05-0e60-4eae-a88b-1e9d374fa515 Cognitive Services accounts should use customer owned storage Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-03-24 14:32:48 BuiltIn
Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Minor (1.1.0 > 1.2.0) 2021-03-24 14:32:48 BuiltIn
Synapse 529ea018-6afc-4ed4-95bd-7c9ee47b00bc Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Major (1.0.0 > 2.0.0) 2021-03-24 14:32:48 BuiltIn
Migrate 7590a335-57cf-4c95-babd-ecbc8fafeb1f Configure Azure Migrate resources to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-03-16 16:49:20 BuiltIn
Container Registry 0fdf0491-d080-4575-b627-ad0e843cba0f Public network access should be disabled for Container registries Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-03-16 16:49:20 BuiltIn
Container Registry a3701552-92ea-433e-9d17-33b7f1208fc9 Configure Container registries to disable public network access Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Default
Modify
Allowed
Modify, Disabled 		count: 001
Contributor
add
 new Policy 2021-03-16 16:49:20 BuiltIn
Machine Learning ee40564d-486e-4f68-a5ca-7a621edae0fb Configure Azure Machine Learning workspace to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-03-16 16:49:20 BuiltIn
Container Registry d85c6833-7d33-4cf5-a915-aaa2de84405f Configure Container registries with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Contributor
add
 new Policy 2021-03-16 16:49:20 BuiltIn
Monitoring 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 Configure Dependency agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Log Analytics Contributor
change
 Minor, old suffix: preview (1.1.0-preview > 1.2.0) 2021-03-16 16:49:20 BuiltIn
Container Registry e9585a95-5b8c-4d03-b193-dc7eb5ac4c32 Configure Container registries to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-03-16 16:49:20 BuiltIn
Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Owner
change
 Minor (1.0.0 > 1.1.0) 2021-03-16 16:49:20 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Major, old suffix: preview (2.0.0-preview > 3.0.0) 2021-03-16 16:49:20 BuiltIn
Machine Learning 7838fd83-5cbb-4b5d-888c-bfa240972597 Configure Azure Machine Learning workspaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-03-16 16:49:20 BuiltIn
Container Registry d0793b48-0edc-4296-a390-4c75d1bdfd71 Container registries should not allow unrestricted network access Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Minor (1.0.1 > 1.1.0) 2021-03-16 16:49:20 BuiltIn
Container Registry bd560fc0-3c69-498a-ae9f-aa8eb7de0e13 Container registries should have SKUs that support Private Links Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-03-16 16:49:20 BuiltIn
Machine Learning 40cec1dd-a100-4920-b15b-3024fe8901ab [Deprecated]: Azure Machine Learning workspaces should use private link This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.1 > 1.0.0) 2021-03-16 16:49:20 BuiltIn
Security Center 13ce0167-8ca6-4048-8e6b-f996402e3c1b Configure machines to receive a vulnerability assessment provider Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Security Admin
change
 Major, suffix remains equal (1.0.0-preview > 2.0.0-preview) 2021-03-10 14:52:46 BuiltIn
Search 9cee519f-d9c1-4fd9-9f79-24ec3449ed30 Configure Azure AI Search services to disable public network access Disable public network access for your Azure AI Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Modify
Allowed
Modify, Disabled 		count: 002
Network Contributor
Search Service Contributor
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Cosmos DB 797b37f7-06b8-444c-b1ad-fc62867f335a Azure Cosmos DB should disable public network access Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca [Deprecated]: Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Disabled
Allowed
Audit, Deny, Disabled
change
 Patch (1.0.0 > 1.0.1) 2021-03-09 14:37:41 BuiltIn
Search ee980b6d-0eca-4501-8d54-f6290fd512c3 Azure AI Search services should disable public network access Disabling public network access improves security by ensuring that your Azure AI Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Kubernetes c050047b-b21b-4822-8a2d-c1e37c3c0c6a Configure Kubernetes clusters with specified GitOps configuration using SSH secrets Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled 		count: 001
Contributor
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Service Bus f0fcf93c-c063-4071-9668-c47474bd3564 Configure Service Bus namespaces to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Service Bus namespaces. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Internet of Things df39c015-56a4-45de-b4a3-efe77bed320d IoT Hub device provisioning service instances should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Default
Audit
Allowed
Audit, Disabled
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Event Hub 91678b7c-d721-4fc5-b179-3cdf74e96b1c Configure Event Hub namespaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Event Hubs Data Owner
Network Contributor
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Cache e016b22b-e0eb-436d-8fd7-160c4eaed6e2 Configure Azure Cache for Redis to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 001
Network Contributor
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Synapse 72d11df1-dd8a-41f7-8925-b05b960ebafc Azure Synapse workspaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Default
Audit
Allowed
Audit, Disabled
change
 Patch (1.0.0 > 1.0.1) 2021-03-09 14:37:41 BuiltIn
Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. Default
Audit
Allowed
Audit, Deny, Disabled
change
 Major (1.0.3 > 2.0.0) 2021-03-09 14:37:41 BuiltIn
Service Bus 1c06e275-d63d-4540-b761-71f364c2111d Azure Service Bus namespaces should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
 Minor (6.0.0 > 6.1.0) 2021-03-09 14:37:41 BuiltIn
Synapse ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee Configure Synapse workspaces to have auditing enabled To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
SQL Security Manager
Storage Account Contributor
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Data Factory 0088bc63-6dee-4a9c-9d29-91cfdc848952 SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Service Bus 7d890f7f-100c-473d-baa1-2777e2266535 Configure Service Bus namespaces with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Service Bus namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled 		count: 002
Azure Service Bus Data Owner
Network Contributor
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Search a049bf77-880b-470f-ba6d-9f21c530cf83 Azure AI Search service should use a SKU that supports private link With supported SKUs of Azure AI Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Audit
Allowed
Audit, Deny, Disabled
add
 new Policy 2021-03-09 14:37:41 BuiltIn
SQL 89099bee-89e0-4b26-a5f4-165451757743 SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
 Minor (2.0.1 > 2.1.0) 2021-03-09 14:37:41 BuiltIn
Synapse 529ea018-6afc-4ed4-95bd-7c9ee47b00bc Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
 new Policy 2021-03-09 14:37:41 BuiltIn
Cosmos DB