Az Policy Advertizer

[Preview]: Restricts the CriticalAddonsOnly taint to just the system pool.

To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

97de439f-fd35-4d43-a693-3644f51a51fd

[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set.

Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster init containers securityContext.runAsUser fields to 1000, a non-root user id

Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

57f274ef-580a-4ed2-bcf8-5c6fa3775253

[Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false.

Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

fed6510d-00b9-40db-a347-933125a6a327

[Preview]: Prevents init containers from being ran as root by setting runAsNotRoot to true.

Setting runAsNotRoot to true increases security by preventing containers from being ran as root.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2025-04-22 16:46:02

BuiltIn

Monitoring

d77df159-718b-4aca-b94b-8e8890a98231

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.4.1 > 4.5.0)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Sets Privilege escalation in the Pod spec to false.

Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present.

Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

6f87d474-38a9-46c9-bdfe-d7fa3b9836bf

[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set.

Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present.

Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

e24df237-32cb-4a6c-a2f6-85b499cda9f2

[Preview]: Prints a message if a mutation is applied

Looks up the mutation annotations applied and prints a message if annotation exists.

Default
Audit
Allowed
Audit, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2025-04-22 16:46:02

BuiltIn

Monitoring

fe74a23d-79e4-401c-bd0d-fd7a5b35af32

Linux virtual machines should have Azure Monitor Agent installed

Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.3.0 > 3.4.0)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster Pod securityContext.runAsUser fields to 1000, a non-root user id

Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2025-04-22 16:46:02

BuiltIn

App Service

a8e3ce3c-cac3-4402-a28a-03ee3ede9790

App Service apps should use a SKU that supports private link

With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (4.1.0 > 4.2.0)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster container securityContext.runAsUser fields to 1000, a non-root user id

Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2025-04-22 16:46:02

BuiltIn

Monitoring

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor (3.8.0 > 3.9.0)

2025-04-22 16:46:02

BuiltIn

Monitoring

c873b3ba-c605-42e4-a64b-a142a93826fc

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (6.5.1 > 6.6.0)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Mutate K8s Container to drop all capabilities

Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2025-04-22 16:46:02

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.6.0 > 3.7.0)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present

Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2025-04-22 16:46:02

BuiltIn

Monitoring

021f8078-41a0-40e6-81b6-c6597da9f3ee

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.6.0 > 3.7.0)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster container images should not include latest image tag

Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

2fe7ba7d-f670-41f5-8b70-b61dc7dfbe18

[Preview]: Prevents containers from being ran as root by setting runAsNotRoot to true.

Setting runAsNotRoot to true increases security by preventing containers from being ran as root.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present.

Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8

[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources

Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Sets Privilege escalation in the Pod spec in init containers to false.

Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2025-04-22 16:46:02

BuiltIn

Monitoring

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.4.1 > 4.5.0)

2025-04-22 16:46:02

BuiltIn

Security Center

6bcd4321-fb89-4e3e-bf6c-999c13d47f43

[Deprecated]: Vulnerabilities in security configuration on your machines should be remediated

Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations, This policy is deprecated because it depends on the Azure Monitoring agent, which has also been deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch, suffix remains equal (3.2.0-deprecated > 3.2.1-deprecated)

2025-04-22 16:46:02

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present.

Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2025-04-22 16:46:02

BuiltIn

Monitoring

d01f3018-de9f-4d75-8dae-d12c1875da9f

Linux virtual machine scale sets should have Azure Monitor Agent installed

Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.3.0 > 3.4.0)

2025-04-22 16:46:02

BuiltIn

Security Center

[Deprecated]: Configure supported Windows Arc machines to automatically install the Azure Security agent

Configure supported Windows Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows Arc machines must be in a supported location.

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated)

2025-04-04 18:50:38

BuiltIn

Security Center

0367cfc4-90b3-46ba-a8a6-ddd5d3514878

[Deprecated]: Azure Security agent should be installed on your Windows Arc machines

Install the Azure Security agent on your Windows Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated)

2025-04-04 18:50:38

BuiltIn

Security Center

1f300abb-f5a0-41c3-a163-91bd3ed35de7

[Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent

Configure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location.

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (5.1.0-preview > 5.2.0-deprecated)

2025-04-04 18:50:38

BuiltIn

Security Center

[Deprecated]: Azure Security agent should be installed on your Linux Arc machines

Install the Azure Security agent on your Linux Arc machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated)

2025-04-04 18:50:38

BuiltIn

Security Center

e8794316-d918-4565-b57d-6b38a06381a0

[Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent

Configure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location.

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (7.0.0-preview > 7.1.0-deprecated)

2025-04-04 18:50:38

BuiltIn

Security Center

[Deprecated]: Azure Security agent should be installed on your Linux virtual machines

Install the Azure Security agent on your Linux virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.1.0-deprecated)

2025-04-04 18:50:38

BuiltIn

76a56461-9dc0-40f0-82f5-2453283afa2f

Azure AI Search services should use customer-managed keys to encrypt data at rest

Enabling encryption at rest using a customer-managed key on your Azure AI Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2025-04-04 18:50:38

BuiltIn

Security Center

6654c8c4-e6f8-43f8-8869-54327af7ce32

[Deprecated]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent

Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location.

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.1.0-deprecated)

2025-04-04 18:50:38

BuiltIn

Security Center

2f47ec78-4301-4655-b78e-b29377030cdc

[Deprecated]: Azure Security agent should be installed on your Windows virtual machine scale sets

Install the Azure Security agent on your Windows virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.2.0-deprecated)

2025-04-04 18:50:38

BuiltIn

Security Center

[Deprecated]: Configure supported Linux Arc machines to automatically install the Azure Security agent

Configure supported Linux Arc machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Linux Arc machines must be in a supported location.

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated)

2025-04-04 18:50:38

BuiltIn

356da939-f20a-4bb9-86f8-5db445b0e354

Configure Azure AI Search services to enforce customer-managed keys to encrypt data at rest

Default
Deny
Allowed
Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2025-04-04 18:50:38

BuiltIn

Security Center

62b52eae-c795-44e3-94e8-1b3d264766fb

[Deprecated]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent

Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target Windows virtual machine scale sets must be in a supported location.

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.2.0-deprecated)

2025-04-04 18:50:38

BuiltIn

Security Center

[Deprecated]: Azure Security agent should be installed on your Linux virtual machine scale sets

Install the Azure Security agent on your Linux virtual machine scale sets in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.1.0-deprecated)

2025-04-04 18:50:38

BuiltIn

Security Center

[Deprecated]: Azure Security agent should be installed on your Windows virtual machines

Install the Azure Security agent on your Windows virtual machines in order to monitor your machines for security configurations and vulnerabilities. Results of the assessments can seen and managed in Azure Security Center.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.2.0-deprecated)

2025-04-04 18:50:38

BuiltIn

Monitoring

Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.3.1 > 3.4.0)

2025-03-28 18:30:06

BuiltIn

Kubernetes

62a3ae95-8169-403e-a2d2-b82141448092

[Preview]: Deploy Image Integrity on Azure Kubernetes Service

Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Minor, suffix remains equal (1.0.5-preview > 1.1.0-preview)

2025-03-21 20:19:45

BuiltIn

SignalR

Modify Azure SignalR Service resources to disable public network access

To improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.1.0 > 1.2.0)

2025-03-21 20:19:45

BuiltIn

SignalR

21a9766a-82a5-4747-abb5-650b6dbba6d0

Azure SignalR Service should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.1.0 > 1.2.0)

2025-03-21 20:19:45

BuiltIn

Kubernetes

40f1aee2-4db4-4b74-acb1-c6972e24cca8

Configure Node OS Auto upgrade on Azure Kubernetes Cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Minor (1.0.1 > 1.1.0)

2025-03-21 20:19:45

BuiltIn

Kubernetes

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Minor (4.1.0 > 4.2.0)

2025-03-21 20:19:45

BuiltIn

Kubernetes

9345b7fb-67c5-496c-9f12-eaa74f676875

Deploy Image Cleaner on Azure Kubernetes Service

Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Minor (1.1.0 > 1.2.0)

2025-03-21 20:19:45

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL extension

Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2025-03-17 18:27:39

BuiltIn

Security Center

813e1e44-914e-436d-a2ab-84c4529a6084

Assign System Assigned identity to SQL Virtual Machines

Assign System Assigned identity at scale to Windows SQL virtual machines.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2025-03-17 18:27:39

BuiltIn

Security Center

[Deprecated]: Vulnerabilities in security configuration on your machines should be remediated

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (3.1.0 > 3.2.0-deprecated)

2025-03-07 18:28:00

BuiltIn

Monitoring

Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings

Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.0 > 1.4.0)

2025-03-03 18:38:02

BuiltIn

Monitoring

Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.0 > 1.4.0)

2025-03-03 18:38:02

BuiltIn

Monitoring

fd9903f1-38c2-4d36-8e44-5c1c20c561e8

Deploy - Configure Dependency agent to be enabled on Windows virtual machines

Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2025-03-03 18:38:02

BuiltIn

Storage

Storage accounts should prevent shared key access (excluding storage accounts created by Databricks)

Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2025-03-03 18:38:02

BuiltIn

Storage

1604f626-4d8d-4124-8bb8-b1e5f95562de

Storage accounts should use private link (excluding storage accounts created by Databricks)

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2025-03-03 18:38:02

BuiltIn

Kubernetes

5c58d54b-87f0-4dcd-83ea-e855fc988997

[Preview]: Sets UnhealthyPodEvictionPolicy to 'AlwaysAllow'

Sets Pod Disruption Budget's UnhealthyPodEvictionPolicy to 'AlwaysAllow' to allow for evicting even unhealthy pods when performing cluster administration

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2025-03-03 18:38:02

BuiltIn

Storage

db4f9b05-5ffd-4b34-b714-3c710dbb3fd6

Storage accounts should restrict network access using virtual network rules (excluding storage accounts created by Databricks)

Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2025-03-03 18:38:02

BuiltIn

Kubernetes

783ea2a8-b8fd-46be-896a-9ae79643a0b1

Deploy Image Cleaner on Azure Kubernetes Service

Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Minor (1.0.4 > 1.1.0)

2025-03-03 18:38:02

BuiltIn

Container Apps

Container Apps should disable external network access

Disable external network access to your Container Apps by enforcing internal-only ingress. This will ensure inbound communication for Container Apps is limited to callers within the Container Apps environment.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.1 > 1.1.0)

2025-03-03 18:38:02

BuiltIn

Monitoring

cfc5190a-3b19-4a23-b563-a4c719b666e4

Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets

Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2025-03-03 18:38:02

BuiltIn

Backup

[Preview]: Azure Backup should be enabled on Azure file shares

Ensure protection of your Azure file shares by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2025-02-25 18:38:37

BuiltIn

Kubernetes

dbbdc317-9734-4dd8-9074-993b29c69008

Azure Kubernetes Clusters should enable Key Management Service (KMS)

Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption.

Default
Audit
Allowed
Audit, Disabled

change

Minor (1.0.0 > 1.1.0)

2025-02-25 18:38:37

BuiltIn

App Service

24b7a1c6-44fe-40cc-a2e6-242d2ef70e98

App Service apps should be injected into a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.0.0 > 3.1.0)

2025-02-25 18:38:37

BuiltIn

App Service

App Service app slots should be injected into a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2025-02-25 18:38:37

BuiltIn

Security Center

fbc14a67-53e4-4932-abcc-2049c6706009

Role-Based Access Control (RBAC) should be used on Kubernetes Services

To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.

Default
Audit
Allowed
Audit, Disabled

change

Minor (1.0.4 > 1.1.0)

2025-02-25 18:38:37

BuiltIn

Configure Azure AI Search services to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure AI Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2025-02-17 18:37:09

BuiltIn

76a56461-9dc0-40f0-82f5-2453283afa2f

Azure AI Search services should use customer-managed keys to encrypt data at rest

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2025-02-17 18:37:09

BuiltIn

9cee519f-d9c1-4fd9-9f79-24ec3449ed30

Configure Azure AI Search services to disable public network access

Disable public network access for your Azure AI Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.0 > 1.0.1)

2025-02-17 18:37:09

BuiltIn

App Service

387140f1-6da9-4741-bcee-3b5edcdfd9ec

Function apps should enable end to end encryption

Enabling end to end encryption ensures front-end intra-cluster traffic between App Service front-ends and the workers running application workloads is encrypted.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2025-02-17 18:37:09

BuiltIn

Key Vault

af1d7e88-c1c8-4ea8-be1f-87bff0df9101

Azure Key Vault should have firewall enabled or public network access disabled

Enable the key vault firewall so that the key vault is not accessible by default to any public IPs or disable public network access for your key vault so that it's not accessible over the public internet. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security and https://aka.ms/akvprivatelink

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.2.1 > 3.3.0)

2025-02-17 18:37:09

BuiltIn

App Service

App Service apps should enable end to end encryption

Enabling end to end encryption ensures front-end intra-cluster traffic between App Service front-ends and the workers running application workloads is encrypted.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2025-02-17 18:37:09

BuiltIn

356da939-f20a-4bb9-86f8-5db445b0e354

Configure Azure AI Search services to enforce customer-managed keys to encrypt data at rest

Default
Deny
Allowed
Deny, Disabled

add

new Policy

2025-02-17 18:37:09

BuiltIn

App Service

123aed70-491a-4f07-a569-e1f3a8dd651e

App Service app slots should enable end to end encryption

Enabling end to end encryption ensures front-end intra-cluster traffic between App Service front-ends and the workers running application workloads is encrypted.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2025-02-17 18:37:09

BuiltIn

ee980b6d-0eca-4501-8d54-f6290fd512c3

Azure AI Search services should disable public network access

Disabling public network access improves security by ensuring that your Azure AI Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2025-02-17 18:37:09

BuiltIn

6300012e-e9a4-4649-b41f-a85f5c43be91

Azure AI Search services should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Azure AI Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure AI Search portal functionality since some features of the Portal use the GA API which does not support the parameter.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2025-02-17 18:37:09

BuiltIn

App Service

cbe0e5eb-fea9-491d-ab20-a62cf049c5ae

Function app slots should enable end to end encryption

Enabling end to end encryption ensures front-end intra-cluster traffic between App Service front-ends and the workers running application workloads is encrypted.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2025-02-17 18:37:09

BuiltIn

0fda3595-9f2b-4592-8675-4231d6fa82fe

[Deprecated]: Azure AI Search services should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AI Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.

Default
Audit
Allowed
Audit, Disabled

change

Patch, suffix remains equal (1.0.1-deprecated > 1.0.2-deprecated)

2025-02-17 18:37:09

BuiltIn

Security Center

efd4031d-b232-4595-babf-ae817348e91b

Configure Microsoft Defender for Containers plan

New capabilities are continuously being added to Defender for Containers plan, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2025-02-17 18:37:09

BuiltIn

b698b005-b660-4837-b833-a7aaab26ddba

Configure Azure AI Search services with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure AI Search service, you can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2025-02-17 18:37:09

BuiltIn

4eb216f2-9dba-4979-86e6-5d7e63ce3b75

Configure Azure AI Search services to disable local authentication

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.0 > 1.0.1)

2025-02-17 18:37:09

BuiltIn

a049bf77-880b-470f-ba6d-9f21c530cf83

Azure AI Search service should use a SKU that supports private link

With supported SKUs of Azure AI Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2025-02-17 18:37:09

BuiltIn

Security Center

938c4981-c2c9-4168-9cd6-972b8675f906

Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers

Microsoft Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, discovering and classifying sensitive data. Once enabled, the protection status indicates that the resource is actively monitored. Even when Defender is enabled, multiple configuration settings should be validated on the agent, machine, workspace and SQL server to ensure active protection.

Default
Audit
Allowed
Audit, Disabled

change

Minor (1.0.1 > 1.1.0)

2025-02-05 19:33:00

BuiltIn

BuiltInPolicyTest

125b7269-7ec9-47bf-8beb-8865b61c2c95

[Preview]: Append a tag and its value to resources - This built-in is created for versioning test.

Appends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc).

Default
Append
Allowed
Append, Disabled

add

new Policy

2025-02-05 19:33:00

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.5.0 > 1.6.0)

2025-01-30 19:26:44

BuiltIn

Security Center

594c1276-f44f-482d-9910-71fac2ce5ae0

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.7.0 > 1.8.0)

2025-01-30 19:26:44

BuiltIn

Monitoring

[Deprecated]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace

Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud.

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.1.0-preview > 1.2.0-deprecated)

2025-01-30 19:26:44

BuiltIn

Monitoring

bacd7fca-1938-443d-aad6-a786107b1bfb

[Deprecated]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace

Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud.

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated)

2025-01-30 19:26:44

BuiltIn

Resilience

1bf67da8-b100-45bf-b89d-e4669fc54411

[Preview]: Azure Cache for Redis should be Zone Redundant

Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array or zonalAllocationPolicy is set to 'NoZones' or the sku is 'Basic' are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2025-01-30 19:26:44

BuiltIn

Tags

Audit-Tags-Mandatory

Audit for mandatory tags on resources

Audits resources to ensure they have required tags based on tag array. Does not apply to resource groups.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2025-01-28 19:34:51

ALZ

Tags

Audit-Tags-Mandatory-Rg

Audit for mandatory tags on resource groups

Audits resource groups to ensure they have required tags based on tag array.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2025-01-28 19:34:51

ALZ

Storage

Storage account public access should be disallowed

Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, old suffix: preview (3.1.0-preview > 3.1.1)

2025-01-21 21:08:24

BuiltIn

Kubernetes

Kubernetes cluster should not use naked pods

Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (2.3.0 > 2.3.1)

2025-01-21 21:08:24

BuiltIn

Security Center

Configure the Microsoft Defender for SQL Log Analytics workspace

Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.4.0 > 1.5.0)

2025-01-21 19:02:36

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.5.0 > 1.6.0)

2025-01-21 19:02:36

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.5.0 > 1.6.0)

2025-01-21 19:02:36

BuiltIn

Security Center

Create and assign a built-in user-assigned managed identity

Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (1.7.0 > 1.8.0)

2025-01-21 19:02:36

BuiltIn

SQL

Public network access should be disabled for MySQL flexible servers

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.1.0 > 2.2.0)

2025-01-21 19:02:36

BuiltIn

Security Center

1f6e93e8-6b31-41b1-83f6-36e449a42579

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.9.0 > 1.10.0)

2025-01-21 19:02:36

BuiltIn

Monitoring

Deploy Diagnostic Settings for Event Hub to Log Analytics workspace

Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2025-01-21 19:02:36

BuiltIn

Managed Grafana

cc4dfa24-c7df-47e4-80ff-3728adb3f9a0

Configure Azure Managed Grafana workspaces to disable service account

Disable API keys and service account for automated workloads in Grafana workspace.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2025-01-21 19:02:36

BuiltIn

Security Center

e3e008c3-56b9-4133-8fd7-d3347377402a

[Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled

This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2025-01-21 19:02:36

BuiltIn

Compute

8405fdab-1faf-48aa-b702-999c9c172094

Managed disks should disable public network access

Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.0 > 2.1.0)

2025-01-21 19:02:36

BuiltIn

Managed Grafana

f757d603-5178-4168-ac45-5223f681023f

Configure Azure Managed Grafana workspaces to disable email settings

Disable SMTP settings configuration of email contact point for alerting in Grafana workspace.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2025-01-21 19:02:36

BuiltIn

Monitoring

81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4

Deploy Diagnostic Settings for Service Bus to Log Analytics workspace

Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.1.0 > 2.2.0)

2025-01-21 19:02:36

BuiltIn

Security Center

[Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled

This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2025-01-21 19:02:36

BuiltIn

Security Center

931e118d-50a1-4457-a5e4-78550e086c52

[Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled

This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2025-01-21 19:02:36

BuiltIn

Security Center

ad1eeff9-20d7-4c82-a04e-903acab0bfc1

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.8.0 > 1.9.0)

2025-01-21 19:02:36

BuiltIn

ChangeTrackingAndInventory

Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.1.0-preview > 1.2.0)

2024-11-01 18:49:23

BuiltIn

ChangeTrackingAndInventory

b6faa975-0add-4f35-8d1c-70bba45c4424

Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory

Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.0.0-preview > 1.1.0)

2024-11-01 18:49:23

BuiltIn

Security Center

Configure ChangeTracking Extension for Linux virtual machines

Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (2.0.0-preview > 2.1.0)

2024-11-01 18:49:23

BuiltIn

Security Center

Configure ChangeTracking Extension for Windows virtual machines

Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (2.0.0-preview > 2.1.0)

2024-11-01 18:49:23

BuiltIn

ChangeTrackingAndInventory

bef2d677-e829-492d-9a3d-f5a20fda818f

Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.5.0-preview > 1.6.0)

2024-11-01 18:49:23

BuiltIn

ChangeTrackingAndInventory

Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory

Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.0.0-preview > 1.1.0)

2024-11-01 18:49:23

BuiltIn

ChangeTrackingAndInventory

a7acfae7-9497-4a3f-a3b5-a16a50abbe2f

Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory

Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.0.0-preview > 1.1.0)

2024-10-31 18:50:28

BuiltIn

Security Center

Configure ChangeTracking Extension for Linux Arc machines

Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (2.0.0-preview > 2.1.0)

2024-10-31 18:50:28

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.8.0 > 1.9.0)

2024-10-31 18:50:28

BuiltIn

ChangeTrackingAndInventory

1e378679-f122-4a96-a739-a7729c46e1aa

Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory

Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.3.0-preview > 1.4.0)

2024-10-31 18:50:28

BuiltIn

Security Center

[Deprecated]: Cloud Services (extended support) role instances should have an endpoint protection solution installed

Protect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-10-31 18:50:28

BuiltIn

ChangeTrackingAndInventory

ef9fe2ce-a588-4edd-829c-6247069dcfdb

Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory

Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.0.0-preview > 1.1.0)

2024-10-31 18:50:28

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.7.0 > 1.8.0)

2024-10-31 18:50:28

BuiltIn

Security Center

1f7c564c-0a90-4d44-b7e1-9d456cffaee8

Configure ChangeTracking Extension for Windows Arc machines

Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (2.0.0-preview > 2.1.0)

2024-10-31 18:50:28

BuiltIn

Security Center

[Deprecated]: Endpoint protection should be installed on your machines

To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-10-31 18:50:28

BuiltIn

Security Center

af6cd1bd-1635-48cb-bde7-5b15693900b9

[Deprecated]: Monitor missing Endpoint Protection in Azure Security Center

Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated)

2024-10-31 18:50:28

BuiltIn

Security Center

26a828e1-e88f-464e-bbb3-c134a282b9de

[Deprecated]: Endpoint protection solution should be installed on virtual machine scale sets

Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated)

2024-10-31 18:50:28

BuiltIn

ChangeTrackingAndInventory

09a1f130-7697-42bc-8d84-8a9ea17e5192

Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory

Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.0.0-preview > 1.1.0)

2024-10-31 18:50:28

BuiltIn

Security Center

8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2

[Deprecated]: Endpoint protection health issues should be resolved on your machines

Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-10-31 18:50:28

BuiltIn

Compute

014664e7-e348-41a3-aeb9-566e4ff6a9df

Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery

Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.1.0 > 2.1.1)

2024-10-30 18:57:40

BuiltIn

App Service

Configure App Service app slots to use the latest TLS version

Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-10-25 17:51:35

BuiltIn

App Service

1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0

Configure Function apps to use the latest TLS version

Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2024-10-25 17:51:35

BuiltIn

App Service

ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d

Configure App Service apps to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2024-10-25 17:51:35

BuiltIn

Backup

fa3a6357-c6d6-4120-8429-855577ec0063

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.3.0 > 9.4.0)

2024-10-25 17:51:35

BuiltIn

App Service

Configure Function app slots to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-10-25 17:51:35

BuiltIn

Backup

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.3.0 > 9.4.0)

2024-10-25 17:51:35

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.3.0 > 9.4.0)

2024-10-25 17:51:35

BuiltIn

Backup

deb528de-8f89-4101-881c-595899253102

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.3.0 > 9.4.0)

2024-10-25 17:51:35

BuiltIn

App Service

Function app slots should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-10-25 17:51:35

BuiltIn

App Service

4ee5b817-627a-435a-8932-116193268172

Function apps should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.1 > 2.1.0)

2024-10-25 17:51:35

BuiltIn

App Service

App Service app slots should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-10-25 17:51:35

BuiltIn

App Service

1d14b021-1bae-4f93-b36b-69695e14984a

App Service apps should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.1 > 2.1.0)

2024-10-25 17:51:35

BuiltIn

PostgreSQL

Disconnections should be logged for PostgreSQL flexible servers

This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-10-21 17:52:17

BuiltIn

PostgreSQL

a43d5475-c569-45ce-a268-28fa79f4e87a

PostgreSQL flexible servers should be running TLS version 1.2 or newer

This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-10-21 17:52:17

BuiltIn

Kubernetes

12e5dd16-d201-47ff-849b-8454061c293d

[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets

Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS).

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2024-10-21 17:52:17

BuiltIn

Machine Learning

[Preview]: Azure Machine Learning Deployments should only use approved Registry Models

Restrict the deployment of Registry models to control externally created models used within your organization

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-10-15 17:53:32

BuiltIn

Azure Update Manager

a8f3e6a6-dcd2-434c-b0f7-6f309ce913b4

Configure periodic checking for missing system updates on azure Arc-enabled servers

Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.

Fixed
modify

change

Minor (2.2.1 > 2.3.0)

2024-10-15 17:53:32

BuiltIn

Guest Configuration

Audit SSH security posture for Linux (powered by OSConfig)

This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2024-10-15 17:53:32

BuiltIn

Guest Configuration

e22a2f03-0534-4d10-8ea0-aa25a6113233

Configure SSH security posture for Linux (powered by OSConfig)

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2024-10-15 17:53:32

BuiltIn

SQL

Deny-Sql-minTLS

Azure SQL Database should have the minimal TLS version set to the highest version

Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Minor (1.0.0 > 1.1.0)

2024-10-10 01:17:21

ALZ

Network

Deny-VNET-Peer-Cross-Sub

Deny vNet peering cross subscription.

This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.

Default
Deny
Allowed
Audit, Deny, Disabled

change

Minor (1.0.1 > 1.1.0)

2024-10-10 01:17:21

ALZ

SQL

Deploy-PostgreSQL-sslEnforcement

Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL

Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-10-10 01:17:21

ALZ

SQL

Deny-SqlMi-minTLS

SQL Managed Instance should have the minimal TLS version set to the highest version

Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Minor (1.0.0 > 1.1.0)

2024-10-10 01:17:21

ALZ

Storage

Deploy-Storage-sslEnforcement

Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS

Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2024-10-10 01:17:21

ALZ

SQL

Deploy-SQL-minTLS

SQL servers deploys a specific min TLS version requirement.

Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-10-10 01:17:21

ALZ

Cache

Append-Redis-sslEnforcement

Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.

Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.

Default
Append
Allowed
Append, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-10-10 01:17:21

ALZ

SQL

Deploy-MySQL-sslEnforcement

Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.

Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-10-10 01:17:21

ALZ

SQL

Deny-MySql-http

MySQL database servers enforce SSL connections.

Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.

Default
Deny
Allowed
Audit, Disabled, Deny

change

Minor (1.0.0 > 1.1.0)

2024-10-10 01:17:21

ALZ

Cache

Deny-Redis-http

Azure Cache for Redis only secure connections should be enabled

Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking

Default
Deny
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-10-10 01:17:21

ALZ

SQL

Deploy-SqlMi-minTLS

SQL managed instances deploy a specific min TLS version requirement.

Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2024-10-10 01:17:21

ALZ

App Service

Append-AppService-latestTLS

AppService append sites with minimum TLS version to enforce.

Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.

Default
Append
Allowed
Append, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-10-10 01:17:21

ALZ

Networking

Deploy-Private-DNS-Generic

Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2024-10-10 01:17:21

ALZ

Event Hub

Deny-EH-minTLS

Event Hub namespaces should use a valid TLS version

Event Hub namespaces should use a valid TLS version.

Default
Deny
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-10-10 01:17:21

ALZ

Security Center

c3f317a7-a95c-4547-b7e7-11017ebdf2fe

[Deprecated]: System updates on virtual machine scale sets should be installed

Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated)

2024-10-07 17:51:17

BuiltIn

Security Center

e8cbc669-f12d-49eb-93e7-9273119e9933

[Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines

Azure Security Center recommends NSG rules for Internet-facing VMs. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated)

2024-10-07 17:51:17

BuiltIn

Security Center

[Deprecated]: Vulnerabilities in container security configurations should be remediated

Audit Docker security vulnerabilities and display recommendations in Azure Security Center. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated)

2024-10-07 17:51:17

BuiltIn

Security Center

d242c24b-bac7-439e-8af7-22d7dcfd3c4f

[Deprecated]: Allowlist rules in your adaptive application control policy should be updated

Monitor changes in behavior on machines audited by Azure Security Center's adaptive application controls. Security Center uses machine learning to suggest known-safe applications as recommended apps. This policy is deprecated due to the deprecation of the Azure Monitoring agent. Learn more at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated)

2024-10-07 17:51:17

BuiltIn

App Configuration

App Configuration should use geo-replication

Use the geo-replication feature to create replicas in other locations of your current configuration store for enhanced resiliency and availability. Additionally, having multi-region replicas lets you better distribute load, lower latency, protect against datacenter outages, and compartmentalize globally distributed workloads. Learn more at: https://aka.ms/appconfig/geo-replication.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-10-07 17:51:17

BuiltIn

Container Apps

d074ddf8-01a5-4b5e-a2b8-964aed452c0a

Container Apps environment should disable public network access

Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.1 > 1.1.0)

2024-10-07 17:51:17

BuiltIn

Security Center

475aae12-b88a-4572-8b36-9b712b2b3a17

[Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription

Azure Security Center collects VM data using the Log Analytics agent for security monitoring. Enable auto provisioning for automatic deployment. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated)

2024-10-07 17:51:17

BuiltIn

Security Center

86b3d65f-7626-441e-b690-81a8b71cff60

[Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines

Enable application controls to define safe applications and get alerts for others, enhancing security. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated)

2024-10-07 17:51:17

BuiltIn

Security Center

[Deprecated]: System updates should be installed on your machines

Missing security system updates on your servers will be monitored by Azure Security Center as recommendations

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (4.0.0 > 4.1.0-deprecated)

2024-10-07 17:51:17

BuiltIn

Security Center

3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4

[Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated

Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks, This policy is deprecated because it depends on the Azure Monitoring agent, which has also been deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated)

2024-10-07 17:51:17

BuiltIn

Cache

1b1df1e6-d60f-4430-9390-2b0c83aae4a7

Configure Azure Cache for Redis Enterprise with private endpoints

Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-09-27 17:51:42

BuiltIn

Kubernetes

[Preview]: Cannot Edit Individual Nodes

Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2024-09-24 17:50:47

BuiltIn

Kubernetes

Kubernetes cluster should not use naked pods

Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.2.0 > 2.3.0)

2024-09-24 17:50:47

BuiltIn

Machine Learning

Azure Machine Learning workspaces should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.3 > 1.1.0)

2024-09-18 17:50:24

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.4.0 > 1.5.0)

2024-09-10 17:48:30

BuiltIn

Kubernetes

c5f34731-7ab9-42ff-922d-ef4920068b74

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (7.2.0-preview > 7.3.0-preview)

2024-09-10 17:48:30

BuiltIn

Health Deidentification Service

Azure Health Data Services de-identification service should disable public network access

Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-09-10 17:48:30

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.6.0 > 1.7.0)

2024-09-10 17:48:30

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.4.0 > 1.5.0)

2024-09-10 17:48:30

BuiltIn

Security Center

Create and assign a built-in user-assigned managed identity

Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (1.6.0 > 1.7.0)

2024-09-10 17:48:30

BuiltIn

Security Center

Configure the Microsoft Defender for SQL Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.0 > 1.4.0)

2024-09-10 17:48:30

BuiltIn

Security Center

d9b2d63d-a233-4123-847a-7f7e5f5d7e7a

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.7.0 > 1.8.0)

2024-09-10 17:48:30

BuiltIn

Health Deidentification Service

Azure Health Data Services de-identification service should use private link

Azure Health Data Services de-identification service should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-09-10 17:48:30

BuiltIn

Kubernetes

e1352e44-d34d-4e4d-a22e-451a15f759a1

Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster

Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://aka.ms/aks/planned-maintenance

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-09-02 17:49:45

BuiltIn

Security Center

359a48a3-351a-4618-bb32-f1628645694b

Configure Microsoft Defender threat protection for AI workloads

New capabilities are continuously being added to threat protection for AI workloads, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-09-02 17:49:45

BuiltIn

Kubernetes

fed6510d-00b9-40db-a347-933125a6a327

[Preview]: Prevents init containers from being ran as root by setting runAsNotRoot to true.

Setting runAsNotRoot to true increases security by preventing containers from being ran as root.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-08-26 18:17:33

BuiltIn

Kubernetes

2fe7ba7d-f670-41f5-8b70-b61dc7dfbe18

[Preview]: Prevents containers from being ran as root by setting runAsNotRoot to true.

Setting runAsNotRoot to true increases security by preventing containers from being ran as root.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-08-26 18:17:33

BuiltIn

Monitoring

Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (3.3.0 > 3.3.1)

2024-08-20 18:21:51

BuiltIn

Monitoring

Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (3.3.0 > 3.3.1)

2024-08-20 18:21:51

BuiltIn

Monitoring

Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.2.0 > 2.2.1)

2024-08-20 18:21:51

BuiltIn

Monitoring

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (4.4.0 > 4.4.1)

2024-08-20 18:21:51

BuiltIn

Monitoring

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (4.4.0 > 4.4.1)

2024-08-20 18:21:51

BuiltIn

Monitoring

09aa11bb-87ec-409f-bf0b-49b7c1561a87

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (4.5.0 > 4.5.1)

2024-08-20 18:21:51

BuiltIn

Cache

Azure Cache for Redis Enterprise should use customer-managed keys for encrypting disk data

Use customer-managed keys (CMK) to manage the encryption at rest of your on-disk data. By default, customer data is encrypted with platform-managed keys (PMK), but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/RedisCMK.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-08-20 18:21:51

BuiltIn

Security Center

f85bf3e0-d513-442e-89c3-1784ad63382b

System updates should be installed on your machines (powered by Update Center)

Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2024-08-20 18:21:51

BuiltIn

Regulatory Compliance

9e1a2a94-cf7e-47de-b28e-d445ecc63902

Set file integrity rules in your organization

CMA_M1000 - Set file integrity rules in your organization

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2024-08-20 18:21:51

BuiltIn

Cache

7473e756-98d9-4d10-9a22-8101ef32cd74

Configure Azure Cache for Redis Enterprise to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis Enterprise. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-08-20 18:21:51

BuiltIn

Kubernetes

1b1df1e6-d60f-4430-9390-2b0c83aae4a7

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (7.1.0-preview > 7.2.0-preview)

2024-08-20 18:21:51

BuiltIn

Cache

Configure Azure Cache for Redis Enterprise with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-08-20 18:21:51

BuiltIn

Monitoring

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (6.5.0 > 6.5.1)

2024-08-20 18:21:51

BuiltIn

Kubernetes

960e650e-9ce3-4316-9590-8ee2c016ca2f

Configure Azure Kubernetes Service clusters to enable Defender profile

Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.2.0 > 4.3.0)

2024-08-20 18:21:51

BuiltIn

Cache

Azure Cache for Redis Enterprise should use private link

Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-08-20 18:21:51

BuiltIn

Monitoring

Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.2.0 > 2.2.1)

2024-08-20 18:21:51

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.1.0 > 6.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes clusters should not allow container privilege escalation

Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.1.0 > 7.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8

[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present

Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Sets Privilege escalation in the Pod spec in init containers to false.

Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Restricts the CriticalAddonsOnly taint to just the system pool.

To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes clusters should use internal load balancers

Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (8.1.0 > 8.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set.

Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster containers should run with a read only root file system

Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.2.0 > 6.3.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass

The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.2.0 > 2.3.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.1.1 > 5.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Must Have Anti Affinity Rules Set

This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: No AKS Specific Labels

Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster should not allow privileged containers

Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (9.1.0 > 9.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed AppArmor profiles

Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.1.1 > 6.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (8.1.1 > 8.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (9.2.0 > 9.3.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

c812272d-7488-495f-a505-047d34b83f58

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.1.0 > 5.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Mutate K8s Init Container to drop all capabilities

Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

021f8078-41a0-40e6-81b6-c6597da9f3ee

[Preview]: Kubernetes cluster container images should not include latest image tag

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

ca8d5704-aa2b-40cf-b110-dc19052825ad

[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes clusters should minimize wildcard use in role and cluster role

Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster.

Default
Audit
Allowed
Audit, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present.

Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.1.0 > 5.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

6bcd4321-fb89-4e3e-bf6c-999c13d47f43

Kubernetes cluster containers should only use allowed seccomp profiles

Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.1.1 > 7.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present.

Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

57f274ef-580a-4ed2-bcf8-5c6fa3775253

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.1.1 > 6.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false.

Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

1a3b9003-eac6-4d39-a184-4a567ace7645

[Preview]: Kubernetes cluster container images must include the preStop hook

Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed images

Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (9.2.0 > 9.3.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes clusters should be accessible only over HTTPS

Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (8.1.0 > 8.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes clusters should not use the default namespace

Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.1.0 > 4.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Cannot Edit Individual Nodes

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Ensure cluster containers have readiness or liveness probes configured

This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.2.0 > 3.3.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

cf426bb8-b320-4321-8545-1b784a5df3a4

Kubernetes cluster containers should not share host process ID or host IPC namespace

Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.1.0 > 5.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Image Integrity] Kubernetes clusters should only use images signed by notation

Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity

Default
Audit
Allowed
Audit, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should not overcommit cpu and memory

Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.1.0 > 2.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only run with approved user and group IDs

Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.1.1 > 6.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

5485eac0-7e8f-4964-998b-a44f4f0c1e75

Kubernetes cluster containers should only use allowed pull policy

Restrict containers' pull policy to enforce containers to use only allowed images on deployments

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should not run as ContainerAdministrator

Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ .

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

fe8a9af4-a003-4c7d-b7a4-b9808310c4f8

Kubernetes cluster pods should use specified labels

Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.1.0 > 7.2.0)

2024-08-09 18:17:47

BuiltIn

Network

Public IPs and Public IP prefixes should have FirstPartyUsage tag

Ensure all Public IP addresses and Public IP Prefixes have a FirstPartyUsage tag.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-08-09 18:17:47

BuiltIn

Kubernetes

c873b3ba-c605-42e4-a64b-a142a93826fc

[Preview]: Mutate K8s Container to drop all capabilities

Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

077f0ce1-86d6-4058-bc60-de05067e8622

Kubernetes cluster Windows pods should not run HostProcess containers

Prevent prviledged access to the windows node. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ .

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster services should use unique selectors

Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS).

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit

ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
Audit, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.1.1 > 5.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster pods should only use approved host network and port range

Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.1.0 > 6.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set.

Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster services should listen only on allowed ports

Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (8.1.0 > 8.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

a3dc4946-dba6-43e6-950d-f96532848c9f

Kubernetes cluster pods and containers should only use allowed SELinux options

Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.1.1 > 7.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes clusters should ensure that the cluster-admin role is only used where required

The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed.

Default
Audit
Allowed
Audit, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Reserved System Pool Taints

Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

6f87d474-38a9-46c9-bdfe-d7fa3b9836bf

Kubernetes resources should have required annotations

Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present.

Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

e24df237-32cb-4a6c-a2f6-85b499cda9f2

[Preview]: Prints a message if a mutation is applied

Looks up the mutation annotations applied and prints a message if annotation exists.

Default
Audit
Allowed
Audit, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Kubernetes clusters should restrict creation of given resource type

Given Kubernetes resource type should not be deployed in certain namespace.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (2.2.0-preview > 2.3.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources

Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should only run with approved user and domain user group

Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.1.0 > 2.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.1.1 > 7.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

d77df159-718b-4aca-b94b-8e8890a98231

Kubernetes cluster should not use naked pods

Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.1.0 > 2.2.0)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Sets Privilege escalation in the Pod spec to false.

Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present.

Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)

2024-08-09 18:17:47

BuiltIn

Kubernetes

d855fd7a-9be5-4d84-8b75-28d41aadc158

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.1.0 > 4.2.0)

2024-08-09 18:17:47

BuiltIn

Azure Load Testing

[Preview]: Load tests using Azure Load Testing should be run only against private endpoints from within a virtual network.

Azure Load Testing engine instances should use virtual network injection for the following purposes: 1. Isolate Azure Load Testing engines to a virtual network. 2. Enable Azure Load Testing engines to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Load Testing engines.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-08-09 18:17:47

BuiltIn

Cache

3827af20-8f80-4b15-8300-6db0873ec901

Azure Cache for Redis should not use access keys for authentication

Not using local authentication methods like access keys and using more secure alternatives like Microsoft Entra ID (recommended) improves security for your Azure Cache for Redis. Learn more at aka.ms/redis/disableAccessKeyAuthentication

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-08-05 18:24:24

BuiltIn

Cognitive Services

7e92882a-2f8a-4991-9bc4-d3147d40abb0

Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)

Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.1.0 > 2.2.0)

2024-08-05 18:24:24

BuiltIn

Security Center

Enable threat protection for AI workloads

Microsoft threat protection for AI workloads provides contextualized, evidence-based security alerts aimed at protecting home grown Generative AI powered applications

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-08-05 18:24:24

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.5.0 > 3.6.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets

Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances.

Fixed
deployIfNotExists

change

Minor (5.0.0 > 5.1.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Windows servers

Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.7.0 > 3.8.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (6.4.0 > 6.5.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor (3.7.0 > 3.8.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.5.0 > 3.6.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.2 > 1.3.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Linux servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings

Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.2 > 1.2.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.1 > 3.2.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings

Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.1 > 3.2.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.2 > 1.2.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

7bca8353-aa3b-429b-904a-9229c4385837

Deploy Dependency agent for Linux virtual machines

Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed.

Fixed
deployIfNotExists

change

Minor (5.0.0 > 5.1.0)

2024-07-30 18:18:24

BuiltIn

Network

Subnets should be private

Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-07-30 18:18:24

BuiltIn

Monitoring

Linux virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.3.0 > 4.4.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.3.0 > 4.4.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

3bc8a0d5-38e0-4a3d-a657-2cb64468fc34

Linux virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2024-07-30 18:18:24

BuiltIn

Security Center

Azure Defender for SQL should be enabled for unprotected MySQL flexible servers

Audit MySQL flexible servers without Advanced Data Security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-07-30 18:18:24

BuiltIn

Monitoring

12c74c95-0efd-48da-b8d9-2a7d68470c92

Deploy - Configure Dependency agent to be enabled on Windows virtual machines

Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-07-30 18:18:24

BuiltIn

PostgreSQL

PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest

Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.2 > 1.3.0)

2024-07-30 18:18:24

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.5.0 > 1.6.0)

2024-07-17 18:20:29

BuiltIn

Security Center

0fda3595-9f2b-4592-8675-4231d6fa82fe

Configure Microsoft Defender for Storage to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.0 > 1.4.0)

2024-07-17 18:20:29

BuiltIn

[Deprecated]: Azure AI Search services should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AI Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.

Default
Audit
Allowed
Audit, Disabled

change

Patch, new suffix: deprecated (1.0.0 > 1.0.1-deprecated)

2024-07-17 18:20:29

BuiltIn

Monitoring

d6759c02-b87f-42b7-892e-71b3f471d782

Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.5.0 > 1.6.0)

2024-07-17 18:20:29

BuiltIn

Azure Ai Services

Azure AI Services resources should use Azure Private Link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://aka.ms/AzurePrivateLink/Overview

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-07-17 18:20:29

BuiltIn

Cognitive Services

c812272d-7488-495f-a505-047d34b83f58

[Deprecated]: Cognitive Services should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800.

Default
Audit
Allowed
Audit, Disabled

change

Patch, new suffix: deprecated (3.0.0 > 3.0.1-deprecated)

2024-07-17 18:20:29

BuiltIn

Kubernetes

[Preview]: Mutate K8s Init Container to drop all capabilities

Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-07-15 18:22:44

BuiltIn

Kubernetes

c873b3ba-c605-42e4-a64b-a142a93826fc

[Preview]: Mutate K8s Container to drop all capabilities

Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-07-15 18:22:44

BuiltIn

Kubernetes

e24df237-32cb-4a6c-a2f6-85b499cda9f2

[Preview]: Prints a message if a mutation is applied

Looks up the mutation annotations applied and prints a message if annotation exists.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Guest Configuration

4078e558-bda6-41fb-9b3c-361e8875200d

[Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc

Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (2.0.0 > 2.1.0-deprecated)

2024-07-09 18:20:14

BuiltIn

Kubernetes

6f87d474-38a9-46c9-bdfe-d7fa3b9836bf

[Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present.

Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Kubernetes

a8e3ce3c-cac3-4402-a28a-03ee3ede9790

[Preview]: Sets Kubernetes cluster container securityContext.runAsUser fields to 1000, a non-root user id

Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Network

8c19196d-7fd7-45b2-a9b4-7288f47c769a

Azure Firewall Standard should be upgraded to Premium for next generation protection

If you are looking for next generation protection like IDPS and TLS inspection, you should consider upgrading your Azure Firewall to Premium sku.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Network

72923a3a-e567-46d3-b3f9-ffb2462a1c3a

Virtual Hubs should be protected with Azure Firewall

Deploy an Azure Firewall to your Virtual Hubs to protect and granularly control internet egress and ingress traffic.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Network

da79a7e2-8aa1-45ed-af81-ba050c153564

Azure Firewall Policy should enable Threat Intelligence

Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Security Center

a3a6ea0c-e018-4933-9ef0-5aaa1501449b

[Deprecated]: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring

Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-07-09 18:20:14

BuiltIn

Network

7c591a93-c34c-464c-94ac-8f9f9a46e3d6

Azure Firewall Standard - Classic Rules should enable Threat Intelligence

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Kubernetes

fe74a23d-79e4-401c-bd0d-fd7a5b35af32

[Preview]: Sets Kubernetes cluster Pod securityContext.runAsUser fields to 1000, a non-root user id

Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Kubernetes

4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8

[Preview]: Sets Privilege escalation in the Pod spec in init containers to false.

Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Network

794d77cc-fe65-4801-8514-230c0be387a8

Azure Firewall Classic Rules should be migrated to Firewall Policy

Migrate from Azure Firewall Classic Rules to Firewall Policy to utilize central management tools such as Azure Firewall Manager.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Security Center

1e7fed80-8321-4605-b42c-65fc300f23a3

Role-Based Access Control (RBAC) should be used on Kubernetes Services

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.3 > 1.0.4)

2024-07-09 18:20:14

BuiltIn

Guest Configuration

[Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc

Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.1.0 > 1.2.0-deprecated)

2024-07-09 18:20:14

BuiltIn

Kubernetes

d77df159-718b-4aca-b94b-8e8890a98231

[Preview]: Sets Privilege escalation in the Pod spec to false.

Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Kubernetes

57f274ef-580a-4ed2-bcf8-5c6fa3775253

[Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false.

Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Security Center

a4fe33eb-e377-4efb-ab31-0784311bc499

[Deprecated]: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring

This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-07-09 18:20:14

BuiltIn

Compute

3f84c9b0-8b64-4208-98d4-6ada96bb49c3

[Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated)

2024-07-09 18:20:14

BuiltIn

Network

Azure Firewall Policy should have DNS Proxy Enabled

Enabling DNS Proxy will make the Azure Firewall associated with this policy to listen on port 53 and forward the DNS requests to specified DNS server

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Network

dfb5ac92-ce74-4dbc-81fa-87243e62d5d3

Azure Firewall Policy Analytics should be Enabled

Enabling Policy Analytics provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Kubernetes

6bcd4321-fb89-4e3e-bf6c-999c13d47f43

[Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present.

Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Kubernetes

97de439f-fd35-4d43-a693-3644f51a51fd

[Preview]: Sets Kubernetes cluster init containers securityContext.runAsUser fields to 1000, a non-root user id

Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Network

3e1f521a-d037-4709-bdd6-1f532f271a75

Azure Firewall should be deployed to span multiple Availability Zones

For increased availability we recommend deploying your Azure Firewall to span multiple Availability Zones. This ensures that your Azure Firewall will remain available in the event of a zone failure.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-07-09 18:20:14

BuiltIn

Managed Grafana

bc33de80-97cd-4c11-b6b4-d075e03c7d60

Configure Azure Managed Grafana workspaces with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-06-28 18:15:04

BuiltIn

Managed Grafana

3a97e513-f75e-4230-8137-1efad4eadbbc

Azure Managed Grafana workspaces should use private link

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-06-28 18:15:04

BuiltIn

Managed Grafana

0656cf40-485c-427b-b992-703a4ecf4f88

Azure Managed Grafana workspaces should disable service account

Disables API keys and service account for automated workloads in Grafana workspace.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-28 18:15:04

BuiltIn

Managed Grafana

a08f2347-fe9c-482b-a944-f6a0e05124c0

Azure Managed Grafana workspaces should disable Grafana Enterprise upgrade

Disables Grafana Enterprise upgrade in Grafana workspace.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-28 18:15:04

BuiltIn

Managed Grafana

b6752a42-6fc3-46cb-8a15-33aa109407b1

Azure Managed Grafana workspaces should disable email settings

Disables SMTP settings configuration of email contact point for alerting in Grafana workspace.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-28 18:15:04

BuiltIn

Kubernetes

28257686-e9db-403e-b9e2-a5eecbe03da9

Azure Kubernetes Clusters should disable SSH

Disable SSH gives you the ability to secure your cluster and reduce the attack surface. To learn more, visit: aka.ms/aks/disablessh

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-06-24 18:15:26

BuiltIn

Guest Configuration

2454bbee-dc19-442f-83fc-7f3114cafd91

[Deprecated]: Windows machines should use the default NTP server

This policy is deprecated because Microsoft 365 App Compliance Program no longer checks the default NTP server on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-06-14 18:20:16

BuiltIn

PostgreSQL

12c74c95-0efd-48da-b8d9-2a7d68470c92

PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-14 18:20:16

BuiltIn

Network

f516dc7a-4543-4d40-aad6-98f76a706b50

[Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium

This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-06-14 18:20:16

BuiltIn

Network

610b6183-5f00-4d68-86d2-4ab4cb3a67a5

[Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-06-14 18:20:16

BuiltIn

PostgreSQL

4eb5e667-e871-4292-9c5d-8bbb94e0c908

Auditing with PgAudit should be enabled for PostgreSQL flexible servers

This policy helps audit any PostgreSQL flexible servers in your environment which is not enabled to use pgaudit.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-06-14 18:20:16

BuiltIn

PostgreSQL

ce39a96d-bf09-4b60-8c32-e85d52abea0f

A Microsoft Entra administrator should be provisioned for PostgreSQL flexible servers

Audit provisioning of a Microsoft Entra administrator for your PostgreSQL flexible server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-06-14 18:20:16

BuiltIn

Guest Configuration

b3248a42-b1c1-41a4-87bc-8bad3d845589

Windows machines should enable Windows Defender Real-time protection

Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-06-14 18:20:16

BuiltIn

Guest Configuration

78ed47da-513e-41e9-a088-e829b373281d

[Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day

This policy is deprecated because Microsoft 365 App Compliance Program no longer checks schedule frequency on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.2.0 > 1.3.0-deprecated)

2024-06-14 18:20:16

BuiltIn

PostgreSQL

Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace

Deploys the diagnostic settings for PostgreSQL flexible servers to stream to a regional Log Analytics workspace when any PostgreSQL flexible servers which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-06-14 18:20:16

BuiltIn

SQL

d96163de-dbe0-45ac-b803-0e9ca0f5764e

Public network access should be disabled for PostgreSQL flexible servers

Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.0.1 > 3.1.0)

2024-06-14 18:20:16

BuiltIn

Guest Configuration

Windows machines should configure Windows Defender to update protection signatures within one day

To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-06-14 18:20:16

BuiltIn

PostgreSQL

a43d5475-c569-45ce-a268-28fa79f4e87a

PostgreSQL flexible servers should be running TLS version 1.2 or newer

This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-06-14 18:20:16

BuiltIn

Network

a58ac66d-92cb-409c-94b8-8e48d7a96596

[Deprecated]: Azure firewall policy should enable TLS inspection within application rules

This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-06-14 18:20:16

BuiltIn

Network

f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf

[Deprecated]: Subscription should configure the Azure Firewall Premium to provide additional layer of protection

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-06-14 18:20:16

BuiltIn

Network

632d3993-e2c0-44ea-a7db-2eca131f356d

[Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway

This policy is deprecated because sometimes it is impractical to enable all WAF rules. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated)

2024-06-14 18:20:16

BuiltIn

Network

6484db87-a62d-4327-9f07-80a2cbdf333a

[Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS)

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-06-14 18:20:16

BuiltIn

Network

711c24bb-7f18-4578-b192-81a6161e1f17

[Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-06-14 18:20:16

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.6.0 > 1.7.0)

2024-06-10 18:18:08

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.5.0 > 1.6.0)

2024-06-10 18:18:08

BuiltIn

Security Center

Deploy-ASC-SecurityContacts

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.6.0 > 1.7.0)

2024-06-10 18:18:08

BuiltIn

Security Center

Deploy Microsoft Defender for Cloud Security Contacts

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2024-06-10 18:18:08

ALZ

Kubernetes

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.1.0 > 4.2.0)

2024-06-10 18:18:08

BuiltIn

Security Center

0d6d79a8-8406-4e87-814d-2dcd83b2c355

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.4.0 > 1.5.0)

2024-06-10 18:18:08

BuiltIn

DevOpsInfrastructure

[Preview]: Microsoft Managed DevOps Pools should be provided with valid subnet resource in order to configure with own virtual network.

Disallows creating Pool resources if a valid subnet resource is not provided.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-10 18:18:08

BuiltIn

General

DenyAction-DeleteResources

Do not allow deletion of specified resource and resource type

This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect.

Default
DenyAction
Allowed
DenyAction, Disabled

add

new Policy

2024-06-06 18:16:12

ALZ

Monitoring

Deploy-Diagnostics-VMSS

[Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace

Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Security Center

Deploy-MDFC-SQL-DefenderSQL-DCR

[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-WVDWorkspace

[Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace

Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated)

2024-06-03 17:39:43

ALZ

Security Center

Deploy-MDFC-SQL-DefenderSQL

[Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL (ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) BuiltIn

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-iotHub

[Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace

Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

App Service

Deny-AppService-without-BYOC

App Service certificates must be stored in Key Vault

App Service (including Logic apps and Function apps) must use certificates stored in Key Vault

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Cognitive Services

Deny-CognitiveServices-NetworkAcls

Network ACLs should be restricted for Cognitive Services

Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Logic Apps

Deny-LogicApps-Without-Https

Logic app should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Network

Deny-Service-Endpoints

Deny or Audit service endpoints on subnets

This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-HDInsight

[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace

Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-WVDAppGroup

[Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace

Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated)

2024-06-03 17:39:43

ALZ

Managed Identity

Deploy-UserAssignedManagedIdentity-VMInsights

[Deprecated]: Deploy User Assigned Managed Identity for VM Insights

Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-SQLMI

[Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace

Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Network

Audit-PrivateLinkDnsZones

Audit or Deny the creation of Private Link Private DNS Zones

This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2024-06-03 17:39:43

ALZ

Storage

Deny-Storage-ResourceAccessRulesTenantId

Resource Access Rules Tenants should be restricted for Storage Accounts

Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Storage

Deny-Storage-LocalUser

Local users should be restricted for Storage Accounts

Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-NetworkSecurityGroups

[Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace

Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Cognitive Services

Deny-CognitiveServices-RestrictOutboundNetworkAccess

Outbound network access should be restricted for Cognitive Services

Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Networking

Deploy-Private-DNS-Generic

Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Storage

Deny-Storage-minTLS

[Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled

Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html

Default
Deny
Allowed
Audit, Deny, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Policy (fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-CognitiveServices

[Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace

Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Storage

Deny-Storage-ContainerDeleteRetentionPolicy

Storage Accounts should use a container delete retention policy

Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Storage

Deny-Storage-ResourceAccessRulesResourceId

Resource Access Rules resource IDs should be restricted for Storage Accounts

Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Network

Modify-NSG

Enforce specific configuration of Network Security Groups (NSG)

This policy enforces the configuration of Network Security Groups (NSG).

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-APIMgmt

[Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace

Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-LogicAppsISE

[Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace

Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-ACR

[Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace

Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-TimeSeriesInsights

[Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace

Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-LogAnalytics

[Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace

Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-SignalR

[Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace

Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-PowerBIEmbedded

[Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace

Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-MlWorkspace

[Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace

Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-ApplicationGateway

[Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace

Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-AnalysisService

[Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace

Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Logic Apps

Deny-LogicApp-Public-Network

Logic apps should disable public network access

Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-MediaService

[Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace

Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Storage

Deny-Storage-NetworkAclsBypass

Network ACL bypass option should be restricted for Storage Accounts

Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-PostgreSQL

[Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace

Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-DataExplorerCluster

[Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace

Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Security Center

Deploy-Diagnostics-FrontDoor

[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (2.0.3 > 2.1.0-deprecated)

2024-06-03 17:39:43

BuiltIn

Monitoring

[Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace

Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-EventGridSub

[Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace

Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Event Hub

Deny-EH-minTLS

Event Hub namespaces should use a valid TLS version

Event Hub namespaces should use a valid TLS version.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-Bastion

[Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace

Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Security Center

Deploy-MDFC-Arc-SQL-DCR-Association

[Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR (2227e1f1-23dd-4c3a-85a9-7024a401d8b2) BuiltIn

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-MySQL

[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace

Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-RedisCache

[Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace

Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-WebServerFarm

[Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace

Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-EventGridTopic

[Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace

Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-VM

[Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace

Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-Firewall

[Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace

Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated)

2024-06-03 17:39:43

ALZ

Storage

Deny-Storage-CorsRules

Storage Accounts should restrict CORS rules

Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-VirtualNetwork

[Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace

Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Security Center

Deploy-MDFC-SQL-AMA

[Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Azure Monitor Agent (f91991d1-5383-4c95-8ee5-5ac423dd8bb1) BuiltIn

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-Website

[Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace

Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated)

2024-06-03 17:39:43

ALZ

Storage

Deny-Storage-NetworkAclsVirtualNetworkRules

Virtual network rules should be restricted for Storage Accounts

Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-AA

[Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace

Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-ACI

[Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace

Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-Function

[Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace

Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

API Management

Deny-APIM-TLS

API Management services should use TLS version 1.2

Azure API Management service should use TLS version 1.2

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-CosmosDB

[Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace

Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-DLAnalytics

[Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace

Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-TrafficManager

[Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace

Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-SQLElasticPools

[Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace

Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-VNetGW

[Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace

Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

[Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace

Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated)

2024-06-03 17:39:43

ALZ

Network

Deny-AzFw-Without-Policy

Azure Firewall should have a default Firewall Policy

This policy denies the creation of Azure Firewall without a default Firewall Policy.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Storage

Deny-Storage-ServicesEncryption

Encryption for storage services should be enforced for Storage Accounts

Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Guest Configuration

e22a2f03-0534-4d10-8ea0-aa25a6113233

Configure SSH security posture for Linux (powered by OSConfig)

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-06-03 17:39:43

BuiltIn

Storage

Deny-Storage-CopyScope

Allowed Copy scope should be restricted for Storage Accounts

Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deny-CognitiveServices-Resource-Kinds

[Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace

Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated)

2024-06-03 17:39:43

ALZ

Cognitive Services

Only explicit kinds for Cognitive Services should be allowed

Azure Cognitive Services should only create explicit allowed kinds.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-NIC

[Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace

Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-CDNEndpoints

[Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace

Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-ApiForFHIR

[Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace

Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-AVDScalingPlans

[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace

Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Cost Optimization

Audit-PublicIpAddresses-UnusedResourcesCostOptimization

Unused Public IP addresses driving cost should be avoided

Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.

Default
Audit
Allowed
Audit, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-Relay

[Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace

Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Network

Modify-UDR

Enforce specific configuration of User-Defined Routes (UDR)

This policy enforces the configuration of User-Defined Routes (UDR) within a subnet.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Event Hub

Deny-EH-Premium-CMK

Event Hub namespaces (Premium) should use a customer-managed key for encryption

Event Hub namespaces (Premium) should use a customer-managed key for encryption.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

SQL

fa498b91-8a7e-4710-9578-da944c68d1fe

[Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled

Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure PostgreSQL flexible server can exclusively be accessed by Microsoft Entra identities.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-06-03 17:39:43

BuiltIn

Monitoring

Deploy-Diagnostics-ExpressRoute

[Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace

Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-VWanS2SVPNGW

[Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace

Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-LoadBalancer

[Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace

Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-DataFactory

[Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace

Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated)

2024-06-03 17:39:43

ALZ

Monitoring

Deploy-Diagnostics-EventGridSystemTopic

[Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace

Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-06-03 17:39:43

ALZ

Logic Apps

Deploy-LogicApp-TLS

Configure Logic apps to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Network

Deny-AppGw-Without-Tls

Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2

This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-06-03 17:39:43

ALZ

Security Center

Deploy-MDFC-Arc-Sql-DefenderSQL-DCR

[Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (63d03cbd-47fd-4ee1-8a1c-9ddf07303de0) BuiltIn

2024-06-03 17:39:43

ALZ

PostgreSQL

c29c38cb-74a7-4505-9a06-e588ab86620a

Enforce SSL connection should be enabled for PostgreSQL flexible servers

Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL flexible server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database flexible server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your PostgreSQL flexible server.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-05-27 16:38:31

BuiltIn

PostgreSQL

5375a5bb-22c6-46d7-8a43-83417cfb4460

Private endpoint should be enabled for PostgreSQL flexible servers

Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-05-27 16:38:31

BuiltIn

PostgreSQL

cee2f9fd-3968-44be-a863-bd62c9884423

Geo-redundant backup should be enabled for Azure Database for PostgreSQL flexible servers

Azure Database for PostgreSQL flexible servers allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-05-27 16:38:31

BuiltIn

PostgreSQL

086709ac-11b5-478d-a893-9567a16d2ae3

Log connections should be enabled for PostgreSQL flexible servers

This policy helps audit any PostgreSQL flexible servers in your environment without log_connections setting enabled.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-05-27 16:38:31

BuiltIn

Cosmos DB

Azure Cosmos DB accounts should have firewall rules

Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.

Default
Deny
Allowed
Audit, Deny, Disabled

change

Minor (2.0.0 > 2.1.0)

2024-05-27 16:38:31

BuiltIn

Azure Update Manager

dacf07fa-0eea-4486-80bc-b93fae88ac40

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.10.0 > 3.12.0)

2024-05-27 16:38:31

BuiltIn

PostgreSQL

Connection throttling should be enabled for PostgreSQL flexible servers

This policy helps audit any PostgreSQL flexible servers in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-05-27 16:38:31

BuiltIn

PostgreSQL

70be9e12-c935-49ac-9bd8-fd64b85c1f87

Log checkpoints should be enabled for PostgreSQL flexible servers

This policy helps audit any PostgreSQL flexible servers in your environment without log_checkpoints setting enabled.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-05-27 16:38:31

BuiltIn

Azure Update Manager

9905ca54-1471-49c6-8291-7582c04cd4d4

Set prerequisite for Scheduling recurring updates on Azure virtual machines.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-05-27 16:38:31

BuiltIn

PostgreSQL

1d14b021-1bae-4f93-b36b-69695e14984a

Disconnections should be logged for PostgreSQL flexible servers

This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-05-27 16:38:31

BuiltIn

Cosmos DB

12339a85-a25c-4f17-9f82-4766f13f5c4c

Azure Cosmos DB accounts should not allow traffic from all Azure data centers

Disallow the IP Firewall rule, '0.0.0.0', which allows for all traffic from any Azure data centers. Learn more at https://aka.ms/cosmosdb-firewall

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-05-17 18:03:56

BuiltIn

ChangeTrackingAndInventory

ad1eeff9-20d7-4c82-a04e-903acab0bfc1

Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-05-17 18:03:56

BuiltIn

ChangeTrackingAndInventory

4485d24b-a9d3-4206-b691-1fad83bc5007

Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-05-17 18:03:56

BuiltIn

ChangeTrackingAndInventory

Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.4.0-preview > 1.5.0-preview)

2024-05-17 18:03:56

BuiltIn

ChangeTrackingAndInventory

Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview)

2024-05-17 18:03:56

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.5.0 > 1.6.0)

2024-05-13 17:44:58

BuiltIn

Monitoring

6e2593d9-add6-4083-9c9b-4b7d2188c899

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor (3.6.0 > 3.7.0)

2024-05-13 17:44:58

BuiltIn

Security Center

Email notification for high severity alerts should be enabled

To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-05-13 17:44:58

BuiltIn

Backup

6e68865f-f3cd-48ec-9bba-54795672eaa4

[Preview]: Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region

Enforce backup for all Azure Disks (Managed Disks) that do not contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-05-13 17:44:58

BuiltIn

Backup

7b5a3b1d-d2e1-4c0b-9f3b-ad0b9a2283f4

[Preview]: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region

Enforce backup for all Azure Disks (Managed Disks) that contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-05-13 17:44:58

BuiltIn

Monitoring

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.2.0 > 4.3.0)

2024-05-13 17:44:58

BuiltIn

Security Center

a8f3e6a6-dcd2-434c-b0f7-6f309ce913b4

Configure Microsoft Defender for Storage to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2024-05-13 17:44:58

BuiltIn

Guest Configuration

Audit SSH security posture for Linux (powered by OSConfig)

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-05-13 17:44:58

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.0 > 1.4.0)

2024-05-13 17:44:58

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.2.0 > 9.3.0)

2024-05-13 17:44:58

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.0 > 1.4.0)

2024-05-13 17:44:58

BuiltIn

Monitoring

c84e5349-db6d-4769-805e-e14037dab9b5

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.2.0 > 4.3.0)

2024-05-13 17:44:58

BuiltIn

Monitoring

Deploy Diagnostic Settings for Batch Account to Log Analytics workspace

Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-05-13 17:44:58

BuiltIn

Security Center

9a021087-bba6-42fd-b535-bba75297566b

Create and assign a built-in user-assigned managed identity

Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (1.5.0 > 1.6.0)

2024-05-13 17:44:58

BuiltIn

Backup

[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag.

Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2024-05-13 17:44:58

BuiltIn

Monitoring

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (6.3.0 > 6.4.0)

2024-05-13 17:44:58

BuiltIn

Backup

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.2.0 > 9.3.0)

2024-05-13 17:44:58

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.2.0 > 9.3.0)

2024-05-13 17:44:58

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.6.0 > 3.7.0)

2024-05-13 17:44:58

BuiltIn

Security Center

bdff5235-9f40-4a32-893f-38a03d5d607c

Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR

Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2024-05-13 17:44:58

BuiltIn

Backup

[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag.

Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2024-05-13 17:44:58

BuiltIn

Backup

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.2.0 > 9.3.0)

2024-05-13 17:44:58

BuiltIn

Security Center

e92686fd-65f0-420f-a52b-7da14f3cef90

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.5.0 > 1.6.0)

2024-05-13 17:44:58

BuiltIn

Monitoring

Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Recovery Services vaults (microsoft.recoveryservices/vaults).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

fc66c506-9397-485e-9451-acc1525f0070

Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

2cb215be-a09b-4623-ac2f-dfc5012b1a5b

Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for ExpressRoute circuits (microsoft.network/expressroutecircuits).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

bdef6e51-210f-4dc3-87b4-eef30f2e6a17

Enable logging by category group for microsoft.community/communitytrainings to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

ac27709a-8e3a-4abf-8122-877af1dd9209

Enable logging by category group for microsoft.insights/autoscalesettings to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

5cfb9e8a-2f13-40bd-a527-c89bc596d299

Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/workspaces/onlineendpoints.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

99b76532-523c-44da-8d28-3af059fd7fbb

Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Topics (microsoft.eventgrid/partnertopics).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0fff3e39-f422-45b0-b497-33a05b996d3e

Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid System Topics (microsoft.eventgrid/systemtopics).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2f6556cb-a2da-4130-a0dd-e5d05dccf9bb

Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Video Indexer (microsoft.videoindexer/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

50bdafe5-c7b6-4812-af5f-75dc00561aed

Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Firewalls (microsoft.network/azurefirewalls).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

22c8a30b-c5c1-4434-b837-2772543d3c3c

Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid System Topics (microsoft.eventgrid/systemtopics).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

63d1a629-735c-448b-b45f-5e3865e84cf5

Enable logging by category group for Logic apps (microsoft.logic/workflows) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Logic apps (microsoft.logic/workflows).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

144aa510-91a0-4de9-9800-43a7ef5e947f

Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data factories (V2) (microsoft.datafactory/factories).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

baa4c6de-b7cf-4b12-b436-6e40ef44c8cb

Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network security groups (microsoft.network/networksecuritygroups).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e6421995-539a-4ce3-854b-1c88534396cf

Enable logging by category group for microsoft.networkcloud/baremetalmachines to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/baremetalmachines.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f48e8ce0-91bd-4d51-8aba-8990d942f999

Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b4a9c220-1d62-4163-a17b-30db7d5b7278

Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

e97f20f4-8bf0-4a35-a319-38f4144228f5

Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bot Services (microsoft.botservice/botservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

82b076b9-2062-4516-ae4c-37b1890eabb2

Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dev centers (microsoft.devcenter/devcenters).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

63f9b4b2-de99-4b16-ad94-1a5464ac4f7d

Enable logging by category group for microsoft.synapse/workspaces/kustopools to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b88bfd90-4da5-43eb-936f-ae1481924291

Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

5fbd326d-328c-414e-a922-2d6963998962

Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/flexibleservers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e7c86682-34c1-488a-9aab-9cb279207992

Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

ba00f5fb-98f7-4542-b88a-16c5ce44f26a

Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.autonomousdevelopmentplatform/workspaces.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

9b6f89db-876b-4156-9f9b-f29dcf302ad2

Enable logging by category group for microsoft.azuresphere/catalogs to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.azuresphere/catalogs.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

65a1573e-cc90-412b-8db2-ba60731b0ea6

Enable logging by category group for microsoft.customproviders/resourceproviders to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.customproviders/resourceproviders.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

454c7d4b-c141-43f1-8c81-975ebb15a9b5

Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Databricks Services (microsoft.databricks/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2fbd2ca9-e7b2-47a0-a8b2-575f3f7607d4

Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.cdn/cdnwebapplicationfirewallpolicies.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

abb62520-ee66-4bdb-96d3-49ad98c66131

Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a819f227-229d-44cb-8ad6-25becdb4451f

Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Data Explorer Clusters (microsoft.kusto/clusters).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

03a087c0-b49f-4440-9ae5-013703eccc8c

Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

a9ebdeda-251a-4311-92be-5167d73b1682

Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

69d4fcec-8426-426a-ad48-439fd3b14e9e

Enable logging by category group for microsoft.dbforpostgresql/servers to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

aec4c33f-2f2a-4fd3-91cd-24a939513c60

Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Azure Update Manager

9905ca54-1471-49c6-8291-7582c04cd4d4

Set prerequisite for Scheduling recurring updates on Azure virtual machines.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

9c79e60b-99f2-49f3-b08c-630d269bddc1

Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure AD Domain Services (microsoft.aad/domainservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e2526c67-0363-4da9-96f8-a95d746cf60b

Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Playwright Testing (microsoft.azureplaywrightservice/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b6f29e6b-4b21-4bb6-a997-38592fa02864

Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed CCF Apps (microsoft.confidentialledger/managedccfs).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

d111f33e-5cb3-414e-aec4-427e7d1080c9

Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Analytics (microsoft.datalakeanalytics/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1888f765-327a-4a8d-9816-968b34ea8b78

Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for FHIR service (microsoft.healthcareapis/workspaces/fhirservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

614d9fbd-68cd-4832-96db-3362069661b2

Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

56288eb2-4350-461d-9ece-2bb242269dce

Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

167dbbbc-a03a-4ebe-8e46-c34cc67f7d9d

Enable logging by category group for microsoft.d365customerinsights/instances to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.d365customerinsights/instances.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

84d8a69f-788a-4025-ba96-f36406cc9ee5

Enable logging by category group for microsoft.machinelearningservices/registries to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/registries.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0628b917-d4b4-4af5-bc2b-b4f87cd173ab

Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

bbdbb83b-cbfe-49f7-b7d1-1126630a68b7

Enable logging by category group for microsoft.dbforpostgresql/servers to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0b6b8abb-7761-4e02-ae0e-2c873b5152ca

Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Spring Apps (microsoft.appplatform/spring).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b14e31e2-22d0-48bb-907e-cfb3487e2120

Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for HPC caches (microsoft.storagecache/caches).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

9fcae8ed-246a-407b-8f75-f3500ff2c9db

Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Batch accounts (microsoft.batch/batchaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a78631da-8506-4113-96f4-2805de193083

Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Managed Grafana (microsoft.dashboard/grafana).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

064a3695-3197-4354-816b-65c7b952db9e

Enable logging by category group for microsoft.documentdb/mongoclusters to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/mongoclusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

d8a9593e-791e-4fd7-9b22-a75b76e5de17

Enable logging by category group for microsoft.documentdb/mongoclusters to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

856331d3-0169-4dd9-9b04-cbb2ad3d1cf2

Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

fea83f6c-a18a-4338-8f1f-80ecba4c5643

Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Backup vaults (microsoft.dataprotection/backupvaults).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

bb7bbee6-718c-4a71-a474-9f9f0e2a55e4

Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Experiment Workspaces (microsoft.experimentation/experimentworkspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

5a1fa110-16bc-49d0-a045-29a552b67cef

Enable logging by category group for microsoft.synapse/workspaces/kustopools to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.synapse/workspaces/kustopools.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

068e22bd-8057-466b-9642-7cd2ca476158

Enable logging by category group for microsoft.timeseriesinsights/environments to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a1a5f3c5-d01a-459c-8398-a3c9a79ad879

Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Video Indexer (microsoft.videoindexer/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

78d285d5-f767-43f8-aa36-4616daaf9d51

Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Backup vaults (microsoft.dataprotection/backupvaults).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b9b976cc-59ef-468a-807e-19afa2ebfd52

Enable logging by category group for microsoft.network/p2svpngateways to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

ee64264d-f9e3-4a0e-bbe2-db4319aeaf42

Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Endpoints (microsoft.cdn/profiles/endpoints).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3534c358-8a1c-4601-b6ff-43d378d65efa

Enable logging by category group for microsoft.devices/provisioningservices to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.devices/provisioningservices.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

14e81583-c89c-47db-af0d-f9ddddcccd9f

Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

234bbd1b-05f6-4639-8770-1cd5278ba2c9

Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.autonomousdevelopmentplatform/workspaces.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

887dc342-c6bd-418b-9407-ab0e27deba36

Enable logging by category group for microsoft.synapse/workspaces/kustopools to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.synapse/workspaces/kustopools.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

5d487647-6a53-4839-8eb8-edccf5e6bf1d

Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Live events (microsoft.media/mediaservices/liveevents).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0ebe872d-7029-4292-88bc-ad3e2cf3772f

Enable logging by category group for microsoft.network/networksecurityperimeters to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networksecurityperimeters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b4545446-0cac-4af5-b591-61544b66e802

Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Workspaces (microsoft.desktopvirtualization/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f018b68f-d953-4238-81a3-94a0f39507e3

Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SCOPE pools (microsoft.synapse/workspaces/scopepools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f9431f54-4c78-47ef-aac9-2b37cbaeae75

Enable logging by category group for Logic apps (microsoft.logic/workflows) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Logic apps (microsoft.logic/workflows).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f8352124-56fa-4f94-9441-425109cdc14b

Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

ae0fc3d3-c9ce-43e8-923a-a143db56d81e

Enable logging by category group for microsoft.documentdb/cassandraclusters to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/cassandraclusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

305408ed-dd5a-43b9-80c1-9eea87a176bb

Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Synapse Analytics (microsoft.synapse/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

da9b245a-05a9-4c2a-acb3-5afe62658776

Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Integration accounts (microsoft.logic/integrationaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

07c818eb-df75-4465-9233-6a8667e86670

Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

be26ca28-761d-4538-b78a-975eb47c680c

Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b9d3f759-4cda-43cf-8f64-5b01aeb1c21a

Enable logging by category group for microsoft.networkcloud/clusters to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/clusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

8fc4ca5f-6abc-4b30-9565-0bd91ac49420

Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

ed251afd-72b1-4e41-b6c9-6614420f1207

Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Shares (microsoft.datashare/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2db34cad-25ef-48e3-a787-c2cd36434cd7

Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

eb5a4c26-04cb-4ab1-81cb-726dc58df772

Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

73fb42d8-b57f-41cd-a840-8f4dedb1dd27

Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

0e4325e3-228b-40f0-83ae-9c03276858c1

Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Connected Cache Resources (microsoft.connectedcache/ispcustomers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

d8624de8-47fe-47c0-bea0-2d8329b628fe

Enable logging by category group for microsoft.network/vpngateways to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/vpngateways.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

93319447-e347-406b-953f-618c3b599554

Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for ExpressRoute circuits (microsoft.network/expressroutecircuits).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

d4d93413-9560-4252-a16d-b8c3bbaf5baf

Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Analytics (microsoft.datalakeanalytics/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0fcf2d91-8951-43be-9505-ab43dee2f580

Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

69214fad-6742-49a9-8f71-ee9d269364ab

Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

824142d3-eccb-4b7c-8403-319610811237

Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data collection rules (microsoft.insights/datacollectionrules).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

605dd1c9-db6f-496f-ba7f-841ea3e246e0

Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MySQL servers (microsoft.dbformysql/servers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b15247e4-f83b-48b2-b34e-8ea6148a0f34

Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for 1ES Hosted Pools (microsoft.cloudtest/hostedpools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

56ae9f08-b8c9-4a0f-8f58-5dbcd63bef84

Enable logging by category group for Relays (microsoft.relay/namespaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Relays (microsoft.relay/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

6b2899d8-5fdf-4ade-ba59-f1f82664877b

Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

6ee1c58c-a123-4cd6-8643-48b2f7ffb3e1

Enable logging by category group for microsoft.network/networkmanagers/ipampools to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networkmanagers/ipampools.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

c29fe1b2-c0b0-4d92-a988-84b484801707

Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network Managers (microsoft.network/networkmanagers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

cd0a772a-62ba-4295-8311-d6710ebe967b

Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data collection rules (microsoft.insights/datacollectionrules).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

415eaa04-e9db-476a-ba43-092d70ebe1e7

Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bot Services (microsoft.botservice/botservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a853abad-dfa4-4bf5-aaa1-04cb10c02d23

Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

de5d5895-642e-4d19-a14e-08a67b2dd152

Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MariaDB servers (microsoft.dbformariadb/servers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

aade2723-e7f6-46fd-b1dc-e6c2c7f7edc4

Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for 1ES Hosted Pools (microsoft.cloudtest/hostedpools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f3977509-4420-4dfa-b1c9-2ab38dfd530f

Enable logging by category group for microsoft.d365customerinsights/instances to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2e3285f9-ae82-4f69-b83f-5b6f1ee69f3a

Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Playwright Testing (microsoft.azureplaywrightservice/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

6f3f5778-f809-4755-9d8f-bd5a5a7add85

Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

69e0da8f-ca50-479d-b1a8-33a31426c512

Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Notification Hub Namespaces (microsoft.notificationhubs/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0925a080-ab8d-44a1-a39c-61e184b4d8f9

Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

e260a121-c160-4da3-8a0f-e2c0ff6c561e

Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for FHIR service (microsoft.healthcareapis/workspaces/fhirservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2453e322-a7e5-4905-ba1e-ac6ea60ff808

Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

75a112bc-759f-4f29-83cc-799019db39c3

Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Load Testing (microsoft.loadtestservice/loadtests).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

257954d9-4adf-410b-9751-3bb22fe9c180

Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure AD Domain Services (microsoft.aad/domainservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

8181847d-3422-4030-b815-481934740b63

Enable logging by category group for microsoft.azuresphere/catalogs to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a5385dba-3caf-43da-8804-c68174d315a7

Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Storage Gen1 (microsoft.datalakestore/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0f708273-cf83-4d29-b31b-ebaf8d0eb8c2

Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

3227dfd8-3536-4336-94c9-78633be6baa2

Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Analysis Services (microsoft.analysisservices/servers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

73baf464-93bb-450f-bda5-209c16d28dc3

Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

9756f174-ca74-4d7a-a56e-7104d8a954b0

Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Communication Services (microsoft.communication/communicationservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3d28ea18-8e88-4160-96ff-4b6af4fd94c7

Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for HPC caches (microsoft.storagecache/caches).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a05c2daf-be1f-4d2c-8a12-b3627d477b44

Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed databases (microsoft.sql/managedinstances/databases).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0e0c742d-5031-4e65-bf96-1bee7cf55740

Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

55d1f543-d1b0-4811-9663-d6d0dbc6326d

Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

e0f5ec01-8979-49bf-9fd7-2a4eff9fa8e0

Enable logging by category group for microsoft.network/vpngateways to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/vpngateways.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e9b1fed8-35a2-47d0-b8aa-3834f5032862

Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Synapse Analytics (microsoft.synapse/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

bbf47f27-95e4-46a0-82e1-898ce046d857

Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.4.0 > 1.5.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

Enable logging by category group for microsoft.azuresphere/catalogs to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.azuresphere/catalogs.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

5164fdc7-cfcd-4bd8-a3e9-f4be93166cde

Enable logging by category group for microsoft.workloads/sapvirtualinstances to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.workloads/sapvirtualinstances.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

83089e56-9675-4bc8-ae7d-ca4547dc764b

Enable logging by category group for microsoft.network/networksecurityperimeters to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networksecurityperimeters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

8d0e693f-1b54-41d1-880e-199c3caed23f

Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual networks (microsoft.network/virtualnetworks).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a6dd4d00-283d-4765-b3d1-44ace2ccacda

Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f62b9eab-b489-4388-9874-b0a62ca31327

Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MariaDB servers (microsoft.dbformariadb/servers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

6af023b1-4841-4b54-8f3d-69caa4e558cb

Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application groups (microsoft.desktopvirtualization/applicationgroups).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

9df7e623-1f7c-47fa-9db6-777c9a3f2636

Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.autonomousdevelopmentplatform/workspaces.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9

Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

9dbcaaa7-0c1b-4861-81c2-d340661b4382

Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SCOPE pools (microsoft.synapse/workspaces/scopepools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3d9b8097-326d-4675-8cff-cce4580c9208

Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Code Signing Accounts (microsoft.codesigning/codesigningaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

76e7a3b8-3822-4ca2-92d8-c20616fd870b

Enable logging by category group for microsoft.powerbi/tenants/workspaces to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

887d1795-3d3d-4859-9ef4-9447392db2ea

Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application gateways (microsoft.network/applicationgateways).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

79494980-ea12-4ca1-8cca-317e942b6da2

Enable logging by category group for Application Insights (microsoft.insights/components) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (microsoft.insights/components).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

9dc3e252-1cff-4ae5-bcad-5a92b7167d43

Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service Environments (microsoft.web/hostingenvironments).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1c5187ed-9863-4961-bb92-c72bc3883e24

Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Load Testing (microsoft.loadtestservice/loadtests).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

958060c2-8d8e-478e-b3ec-d3d2249b461c

Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Code Signing Accounts (microsoft.codesigning/codesigningaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

99b3bfad-aef0-476d-ae98-40861f8eae22

Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application groups (microsoft.desktopvirtualization/applicationgroups).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f7407db8-e40d-4efd-9fff-c61298e01fd5

Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e76ef589-c7d6-42cf-a61a-13471f6f50cd

Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Caches (microsoft.cache/redisenterprise/databases).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

322b6192-a99b-4ab6-9b40-43ca19dcd0d9

Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

95f9d29c-defd-4387-b73b-5cdb4a982bf0

Enable logging by category group for microsoft.dbformysql/flexibleservers to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbformysql/flexibleservers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f55ffc18-72c5-479c-a998-dc6806a6fa89

Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Host pools (microsoft.desktopvirtualization/hostpools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2853b2ac-3ce0-4e51-a1e3-086591e7028a

Enable logging by category group for Relays (microsoft.relay/namespaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Relays (microsoft.relay/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

dc1b5908-da05-4eed-a988-c5e32fdb682d

Enable logging by category group for microsoft.network/dnsresolverpolicies to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/dnsresolverpolicies.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

8ea88471-98e1-47e4-9f63-838c990ba2f4

Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Scaling plans (microsoft.desktopvirtualization/scalingplans).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a511ca63-0a10-46e3-960b-bb6431e9e1a3

Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.managednetworkfabric/networkdevices.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b797045a-b3cd-46e4-adc4-bbadb3381d78

Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

9f4e810a-899e-4e5e-8174-abfcf15739a3

Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

edf35972-ed56-4c2f-a4a1-65f0471ba702

Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

ca09affa-60d6-4cef-9037-b7372e1ac44f

Enable logging by category group for microsoft.network/vpngateways to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0120ef84-66e7-4faf-aad8-14c36389697e

Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network security groups (microsoft.network/networksecuritygroups).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1859cd03-7f77-495d-a0ce-336a36a6830d

Enable logging by category group for Application Insights (microsoft.insights/components) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application Insights (microsoft.insights/components).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

50d96640-65c9-42de-b79a-95c1890c6ec8

Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkfunction/azuretrafficcollectors.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

434b25a4-5396-41ec-97aa-1f4ae3bf269d

Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Analysis Services (microsoft.analysisservices/servers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

ca05d7f2-6625-4cc3-a65a-4931b45ff139

Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3c25d50c-bd5a-4f98-a0de-2495e000cfa7

Enable logging by category group for microsoft.openenergyplatform/energyservices to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.openenergyplatform/energyservices.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1aa5a06a-0cee-4598-8200-94755d500381

Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MariaDB servers (microsoft.dbformariadb/servers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

867c08d5-bc47-404d-9a1b-0aec7a8d34eb

Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Workspaces (microsoft.desktopvirtualization/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3dd58519-427e-42a4-8ffc-e415a3c716f1

Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

84509667-1a94-4255-9e5f-b479075c1069

Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servergroupsv2.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

668e9597-4ccc-452f-80be-e9dd5b2ab897

Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Power BI Embedded (microsoft.powerbidedicated/capacities).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1abe42e1-a726-4dee-94c2-79f364dac9b7

Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

1568dd08-cca0-4073-bfd8-e08a7fdc543e

Enable logging by category group for microsoft.workloads/sapvirtualinstances to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.workloads/sapvirtualinstances.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3ca36b5c-2f29-41a0-9b1d-80e2cdf2d947

Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Load balancers (microsoft.network/loadbalancers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2f4d1c08-3695-41a7-a0a0-8db4a0e25233

Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.4.0 > 1.5.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Recovery Services vaults (microsoft.recoveryservices/vaults).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0b726841-c441-44ed-a2cc-d321e3be3ed7

Enable logging by category group for microsoft.networkcloud/storageappliances to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

9529ceaf-8c7e-4149-bcb6-f38f63c5e4bd

Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2d8b0f41-9850-4bac-b63b-96a882a0e683

Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Connected Cache Resources (microsoft.connectedcache/ispcustomers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

20a921eb-1c4b-4bb7-a78f-6653ad293dba

Enable logging by category group for microsoft.network/networksecurityperimeters to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

14681907-c749-4d60-8eae-1038537fb8a3

Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d

Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

005380e0-1f5b-467a-8ae8-8519938627f9

Enable logging by category group for microsoft.networkcloud/storageappliances to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/storageappliances.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

590b6105-4715-4e8b-8049-c5a4ae07d8e9

Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

60579569-3633-42cb-ae6a-195080bf310d

Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkfunction/azuretrafficcollectors.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

499b7900-f44e-40ea-b8d3-2f3cf75f2ca4

Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/flexibleservers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b79bf56e-c296-4829-afea-6ac9263e7687

Enable logging by category group for microsoft.network/dnsresolverpolicies to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/dnsresolverpolicies.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e99ab54f-260e-4925-a70f-8fe0a92443ef

Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Storage movers (microsoft.storagemover/storagemovers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

18009236-18d3-48e3-bd21-4e7630153611

Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Connected Cache Resources (microsoft.connectedcache/ispcustomers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

751f9297-5aae-4313-af2d-2a89226a7856

Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data factories (V2) (microsoft.datafactory/factories).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

50cebe4c-8021-4f07-bcb2-6c80622444a9

Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

0dac4c0b-0ca4-4c6e-9a09-61917873b3b0

Enable logging by category group for microsoft.networkcloud/baremetalmachines to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

5f6f2aba-e57f-42ed-9aeb-ffa7321a56db

Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e

Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

792f8b74-dc05-44fd-b90d-340a097b80e6

Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

5a69fd36-760e-4a65-a621-836f1159e304

Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.notificationhubs/namespaces/notificationhubs.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

76539a09-021e-4300-953b-4c6018ac26dc

Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

6b359d8f-f88d-4052-aa7c-32015963ecc1

Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

ffe49e3d-50dd-4137-8fe5-6877c4384b69

Enable logging by category group for microsoft.workloads/sapvirtualinstances to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f08edf17-5de2-4966-8c62-a50a3f4368ff

Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

50ca36f4-5306-4275-ad42-a40ca2805c77

Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Databricks Services (microsoft.databricks/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

d3abca82-2ae2-4707-bf5e-cfc765ce9ff1

Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.servicenetworking/trafficcontrollers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a474a6be-35da-4c8a-ae97-f97d03bbd213

Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dev centers (microsoft.devcenter/devcenters).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

9ba29e83-863d-4fec-81d0-16dd87067cc3

Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

2308e22a-85e9-431d-8c47-36072dfa64b5

Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

bf6af3d2-fbd5-458f-8a40-2556cf539b45

Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b

Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

d3e11828-02c8-40d2-a518-ad01508bb4d7

Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

35806bc0-0260-4642-bae7-0ed677b3da44

Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1cd30d13-d34c-4cb8-8f9d-4692f7d40d97

Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Chaos Experiments (microsoft.chaos/experiments).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1118afbc-c48d-43ae-931a-87b38956d40b

Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3d7d0cc7-bd72-4f41-bf55-0be57faa3883

Enable logging by category group for microsoft.dbforpostgresql/servers to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

60af09fa-d167-44da-9bfc-21a49546a7b5

Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Backup vaults (microsoft.dataprotection/backupvaults).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

d147ba9f-3e17-40b1-9c23-3bca478ba804

Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

23673f24-2594-43e9-9983-60a0be21bd76

Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network Managers (microsoft.network/networkmanagers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

c5ecf495-6caa-445c-b431-04fda56c555a

Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for ExpressRoute circuits (microsoft.network/expressroutecircuits).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3234ff41-8bec-40a3-b5cb-109c95f1c8ce

Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual networks (microsoft.network/virtualnetworks).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb

Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

8d0726a6-abae-4b04-9d2e-1f2f67a47e6d

Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

ed6ae75a-828f-4fea-88fd-dead1145f1dd

Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

40ce1496-89c2-40cf-80e5-3c4687d2ee4b

Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual networks (microsoft.network/virtualnetworks).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

93a604fe-0ec2-4a99-ab8c-7ef08f05555a

Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

34c7546c-d637-4b5d-96ab-93fb6ed07af8

Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

d7d59290-3ee5-4c1b-b408-c38b21799aea

Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.managednetworkfabric/networkdevices.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a285df35-0164-4f4d-9e04-c39056742c55

Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

e488a548-7afd-43a7-a903-2a6dd36e7504

Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

a83fcddb-39d0-4c21-af38-76d2c935c3ca

Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments/eventsources.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

244bcb20-b194-41f3-afcc-63aef382b64c

Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics (Virtual Enclaves)

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-04-29 17:47:10

BuiltIn

Monitoring

8464ded4-af15-4319-950f-a30400d35247

Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Integration accounts (microsoft.logic/integrationaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3a8ff864-d881-44ce-bed3-0c63ede634cb

Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

7806c8b4-afc9-4a35-b9a9-3707413df35e

Enable logging by category group for microsoft.insights/autoscalesettings to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.insights/autoscalesettings.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

819c6fd1-432a-4516-a9cb-0c4462af610f

Enable logging by category group for microsoft.powerbi/tenants/workspaces to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.powerbi/tenants/workspaces.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

81039988-1f84-4aa6-8039-0a64c2a301b4

Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Playwright Testing (microsoft.azureplaywrightservice/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

fa570aa1-acca-4eea-8e5a-233cf2c5e4c2

Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Caches (microsoft.cache/redisenterprise/databases).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

bd0965d6-9544-406a-90b5-dc2d566670b8

Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed databases (microsoft.sql/managedinstances/databases).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2cc39a57-5106-4d41-b872-55c2b9d7b729

Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP Prefixes (microsoft.network/publicipprefixes).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f873a711-0322-4744-8322-7e62950fbec2

Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

5b67d7f3-488f-42df-ab16-e38a913fcdba

Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Spring Apps (microsoft.appplatform/spring).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

11638078-a29c-4cf3-ad7f-775f78327425

Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application gateways (microsoft.network/applicationgateways).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

58e22268-dacf-4b7f-b445-338a7e56d23c

Enable logging by category group for Logic apps (microsoft.logic/workflows) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

eb2fea88-fa7b-4531-a4c1-428c618fbcc8

Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for FHIR service (microsoft.healthcareapis/workspaces/fhirservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

116caf13-2666-4a2e-afca-9a5f1e671b11

Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Power BI Embedded (microsoft.powerbidedicated/capacities).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

c3b912c2-7f5b-47ac-bd52-8c85a7667961

Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

a08af17e-c2a3-478e-a819-94839ef02b32

Enable logging by category group for microsoft.network/networkmanagers/ipampools to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e1bf4d43-542a-4410-918d-7e61c8e1ac21

Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Topics (microsoft.eventgrid/partnertopics).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

be3ddb6b-c328-4ecd-91e8-c2804868ea9c

Enable logging by category group for microsoft.dbformysql/flexibleservers to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

7a8afaba-cc24-4306-b83f-d178f1a10ba2

Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Power BI Embedded (microsoft.powerbidedicated/capacities).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

71153be3-4742-4aae-9aec-150f7589311b

Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

f6d5d5d5-0fa9-4257-b820-69c35016c973

Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

087dbf66-448d-4235-b7b8-17af48edc9db

Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.classicnetwork/networksecuritygroups.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

8e29fe36-d794-4c55-87d6-5a206031dde2

Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed CCF Apps (microsoft.confidentialledger/managedccfs).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

7860f3fe-0db3-42d4-bf3d-7042ea5e5787

Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbformysql/flexibleservers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

96abcdc6-3c5a-4b0f-b031-9a4c1f36c9a6

Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Synapse Analytics (microsoft.synapse/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b55f2e8e-dc76-4262-a0e3-45f02200ff0e

Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP Prefixes (microsoft.network/publicipprefixes).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a21ac20a-4dd3-40e9-8036-b3351ecf9319

Enable logging by category group for microsoft.timeseriesinsights/environments to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

6248cb7c-e485-42ad-ba20-b1ee8fba7674

Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Databricks Services (microsoft.databricks/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

315c965f-c0d7-4397-86d3-c05a0981437a

Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/workspaces/onlineendpoints.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

cc789f91-3e63-4cfb-86f4-87565055f269

Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/workspaces/onlineendpoints.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0fdc6116-c747-449c-b9cc-330fcd4c5c9c

Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

90425e88-1eab-420c-964e-fc1dc79833a6

Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

90c90eda-bfe7-4c67-bf26-410420ed1047

Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

5360664a-5821-4f43-8988-3f0ed8f3f8a5

Enable logging by category group for microsoft.networkanalytics/dataproducts to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

85779c9a-7fdf-4294-937c-ded183166fa8

Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container instances (microsoft.containerinstance/containergroups).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

4b05de63-3ad2-4f6d-b421-da21f1328f3b

Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

72d254bb-d0ed-42f2-9160-6b11b65b599c

Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

be9259e2-a221-4411-84fd-dd22c6691653

Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

58cb2d8e-623c-4557-bb4e-0b64cb41ec55

Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Service Environments (microsoft.web/hostingenvironments).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

fe85de62-a656-4b79-9d94-d95c89319bd9

Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

140ad507-70f0-43cb-a7cb-a8964341aefa

Enable logging by category group for Application Insights (microsoft.insights/components) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application Insights (microsoft.insights/components).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

041fdf14-0dd4-4ce0-83ff-de5456be0c85

Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MySQL servers (microsoft.dbformysql/servers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

8af74447-9495-4245-8e49-f74723dcd231

Enable logging by category group for microsoft.openenergyplatform/energyservices to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

13bf624e-fe24-40f0-9a7c-066e28a50871

Enable logging by category group for microsoft.devices/provisioningservices to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

63a8eb0d-f030-4bc6-a1e4-6998f23aa160

Enable logging by category group for microsoft.networkcloud/clusters to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/clusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

40f0d036-d73d-45a9-8c3d-f3f84d227193

Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Batch accounts (microsoft.batch/batchaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

106cd3bd-50a1-466c-869f-f9c2d310477b

Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

7646801f-46d5-48d0-9e18-efb884944f3e

Enable logging by category group for microsoft.customproviders/resourceproviders to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.customproviders/resourceproviders.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3ce7ba9e-058f-4ce9-b4d6-22e6c1238904

Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for DICOM service (microsoft.healthcareapis/workspaces/dicomservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2eb903dd-4881-4284-a31d-4bae3f053946

Enable logging by category group for microsoft.community/communitytrainings to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.community/communitytrainings.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a81eb966-6696-46b1-9153-bed01569a7d0

Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

b678d84d-9723-4df0-a131-82c730231f1e

Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Recovery Services vaults (microsoft.recoveryservices/vaults).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

5798b390-1b02-47b7-88fb-90adf07e8d1b

Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

4ce6d386-fc8e-4ac4-9bff-e5859625cea4

Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

64948b6b-409d-4af2-970f-3b80fea408c1

Enable logging by category group for microsoft.networkcloud/clusters to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

28e2d787-b5f4-43cf-8cb7-11b54773d379

Enable logging by category group for microsoft.network/networkmanagers/ipampools to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networkmanagers/ipampools.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

971199b6-1971-4d3e-85b0-fa7639044679

Enable logging by category group for Search services (microsoft.search/searchservices) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

92012204-a7e4-4a95-bbe5-90d0d3e12735

Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application gateways (microsoft.network/applicationgateways).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

54c7cff6-a032-43e1-9656-d4c24665f805

Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.notificationhubs/namespaces/notificationhubs.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

7e87b2cc-1e49-4e07-a651-a2f38d4667ad

Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data collection rules (microsoft.insights/datacollectionrules).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

68ba9fc9-71b9-4e6f-9cf5-ecc07722324c

Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1840aef8-71df-4a30-a108-efdb4f291a7f

Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Integration accounts (microsoft.logic/integrationaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

34705075-71e2-480c-a9cb-6e9387f47f0f

Enable logging by category group for Relays (microsoft.relay/namespaces) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

cf6ff94d-c483-4491-976a-eb784101217a

Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Experiment Workspaces (microsoft.experimentation/experimentworkspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

60ad0a9f-f760-45ff-ab94-4c64d7439f18

Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container instances (microsoft.containerinstance/containergroups).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

4cabf9fc-4ed1-4990-bbaf-7248fb8751bc

Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

8d42b501-dd03-449d-a070-32d1db2e546b

Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed databases (microsoft.sql/managedinstances/databases).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

145ff119-bfcf-443a-834c-b59859ec3ee7

Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Caches (microsoft.cache/redisenterprise/databases).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1bd3a451-9f38-43e5-aed3-bede117c3055

Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Analytics (microsoft.datalakeanalytics/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b90ec596-faa6-4c61-9515-34085703e260

Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

f969646f-b6b8-45a0-b736-bf9b4bb933dc

Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

20f21bc7-b0b8-4d57-83df-5a8a0912b934

Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

8d253bba-a338-4fd9-9752-6b6edadca1eb

Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

a972fe34-7882-4476-87cf-eb9631785fb5

Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servergroupsv2.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

339855ce-39c1-4a70-adc9-103ea7aac99f

Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

42e5ad1f-57fd-49a7-b0e4-c7a7ae25ba3d

Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Code Signing Accounts (microsoft.codesigning/codesigningaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a26c842f-bee7-4a1f-9ae1-a973d3a0075a

Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container Apps Environments (microsoft.app/managedenvironments).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f48c1843-fc88-47c1-9b01-4527c76c890a

Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Managed Grafana (microsoft.dashboard/grafana).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e74570cf-1b7d-4bed-b79e-d1fd1117a39a

Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Endpoints (microsoft.cdn/profiles/endpoints).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

d9f11fea-dd45-46aa-8908-b7a146f1e543

Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

041e904a-33e5-45fd-b3f6-4ac95f1f8761

Enable logging by category group for microsoft.devices/provisioningservices to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.devices/provisioningservices.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

77c56019-5c71-4d33-9ce3-7a817f2bc7fa

Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

8963c37c-1113-4f1b-ae2e-3a5dd960a7f1

Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.timeseriesinsights/environments/eventsources.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

33835ef6-bc67-4bde-bf5f-5a857f195a57

Enable logging by category group for microsoft.machinelearningservices/registries to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/registries.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0ba93a1b-ac4d-4e7b-976a-548a18be1e52

Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Experiment Workspaces (microsoft.experimentation/experimentworkspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

94d707a8-ce27-4851-9ce2-07dfe96a095b

Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

12000b3e-e38b-4bef-9098-38785f06ea32

Enable logging by category group for microsoft.machinelearningservices/registries to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

4c9cd884-3e45-4588-ac9d-00d44be2cbcd

Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f5094957-e0f7-4af2-9e14-13d60141dc4a

Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

5fcf46f9-194c-47ff-8889-380f57ae4617

Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewalls (microsoft.network/azurefirewalls).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

30499756-47d6-493c-9e57-ee3db2d9fa96

Enable logging by category group for microsoft.insights/autoscalesettings to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.insights/autoscalesettings.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2137dd9f-94ac-413f-93a8-d068966308c9

Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Data Explorer Clusters (microsoft.kusto/clusters).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

889bfebf-7428-426e-a86f-79e2a7de2f71

Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Load balancers (microsoft.network/loadbalancers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

c600af08-49ff-4f7a-b5c9-0686749387b7

Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container instances (microsoft.containerinstance/containergroups).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e25bcb29-0412-42c3-a526-1ff794310a1e

Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure API for FHIR (microsoft.healthcareapis/services).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b

Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

0509e2d8-d657-4563-a7c8-b88b9180a6e8

Enable logging by category group for microsoft.community/communitytrainings to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.community/communitytrainings.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a9725bd4-a2ad-479f-a29b-5e163cada399

Enable logging by category group for microsoft.networkcloud/baremetalmachines to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/baremetalmachines.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0da6faeb-d6c6-4f6e-9f49-06277493270b

Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

0e861bb0-d926-4cdb-b2d6-d59336b8f5b3

Enable logging by category group for microsoft.networkanalytics/dataproducts to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkanalytics/dataproducts.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3ec48f10-33fc-40d2-aaf2-028c4f7bbd02

Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MySQL servers (microsoft.dbformysql/servers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e40b8f6f-0ecf-4c3b-b095-ba3562256e48

Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Analysis Services (microsoft.analysisservices/servers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

601e350d-405c-41d0-a886-72c283f8fab2

Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network security groups (microsoft.network/networksecuritygroups).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

efa9bf93-28f9-4f05-8e8c-31b8875e9713

Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Storage movers (microsoft.storagemover/storagemovers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a8de4d0a-d637-4684-b70e-6df73b74d117

Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

5e6697bc-9d6d-4de9-95f9-898f130372df

Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Video Indexer (microsoft.videoindexer/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0983eb33-77d7-47e5-9fa7-879f8cea012e

Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Notification Hub Namespaces (microsoft.notificationhubs/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3893777a-aaf0-4b74-b08a-14ca9e5a9608

Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container Apps Environments (microsoft.app/managedenvironments).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

10e8c93c-658d-47e8-aa6f-ed60f329c060

Enable logging by category group for microsoft.documentdb/mongoclusters to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/mongoclusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

adeec880-527c-4def-a2bf-3053be70eef8

Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a7c668bd-3327-474f-8fb5-8146e3e40e40

Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Host pools (microsoft.desktopvirtualization/hostpools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

68d95589-2f07-42e3-ae6d-80a2ae3edbc4

Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Load Testing (microsoft.loadtestservice/loadtests).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

37d5d366-8544-498a-9106-00185b29a9e3

Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

4c67a1c0-8e77-4f4b-b572-5c11695aae2d

Enable logging by category group for microsoft.d365customerinsights/instances to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.d365customerinsights/instances.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

621d8969-4918-45e7-954b-2fb0b42e7059

Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Storage Gen1 (microsoft.datalakestore/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

ccdd9d7c-2bb6-465b-8ea1-5584b4af072e

Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

480ee186-7504-48ac-b64e-af38673aa2c6

Enable logging by category group for Search services (microsoft.search/searchservices) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Search services (microsoft.search/searchservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

17f18067-406f-49b2-84ce-d1eb66c3fc75

Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Live events (microsoft.media/mediaservices/liveevents).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

acbb9698-46bd-4800-89da-e3473c4ab10d

Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Communication Services (microsoft.communication/communicationservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1bd91eae-4429-4f23-b780-8c9622e023e3

Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure AD Domain Services (microsoft.aad/domainservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0eb11858-8d9f-4525-b9ab-cc5eab07d27a

Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed CCF Apps (microsoft.confidentialledger/managedccfs).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

20e491a1-11fe-4d11-ab4e-a81edd23672e

Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for 1ES Hosted Pools (microsoft.cloudtest/hostedpools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

82333640-495e-4249-92bb-2a5e2d07b964

Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network Managers (microsoft.network/networkmanagers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

5305ea79-c247-456a-bdbd-dc35cef62ce1

Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

4d46b9c1-0a86-41bf-aaf2-74d0ebf8ce66

Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.cdn/cdnwebapplicationfirewallpolicies.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

ba0ba89c-1137-407f-ae7a-19152ea7ae82

Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

dfe69c56-9c12-4271-9e62-7607ab669582

Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Storage Gen1 (microsoft.datalakestore/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

1d98c506-1460-4424-9006-84210fa5214a

Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

02f64cac-bab0-4950-bb95-51f2d3970efa

Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.timeseriesinsights/environments/eventsources.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b70d4e3a-b1d5-4432-b058-7ea0a4c02a4e

Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.connectedcache/enterprisemcccustomers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

2e8a8853-917a-4d26-9c3a-c92a7fa031e8

Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

39741c6f-5e8b-4511-bba4-6662d0e0e2ac

Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

a142867f-3142-4ac6-b952-ab950a29fca5

Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

6f7fa8b1-4456-4d4c-94c2-1f1651b18235

Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.classicnetwork/networksecuritygroups.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

ebd6e41f-c33e-4e16-9249-cee4c68e6e8c

Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.notificationhubs/namespaces/notificationhubs.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

c1c0dd3c-6354-4265-a88b-801f84649944

Enable logging by category group for microsoft.documentdb/cassandraclusters to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e9e99d63-621a-4a33-8799-0fb53e43f162

Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Scaling plans (microsoft.desktopvirtualization/scalingplans).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

14ed86b4-ea45-4b1b-98a5-eb8f5f7da726

Enable logging by category group for microsoft.openenergyplatform/energyservices to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.openenergyplatform/energyservices.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

dfbfceaa-14b2-4a90-a679-d169fa6a6a38

Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

69ab8bfc-dc5b-443d-93a7-7531551dec66

Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

a2361fd4-721d-4be2-9910-53be250b99ad

Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP Prefixes (microsoft.network/publicipprefixes).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

ae48c709-d2b4-4fad-8c5c-838524130aa4

Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

f231d9f4-9110-40eb-979e-e4eac6602be2

Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure API for FHIR (microsoft.healthcareapis/services).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

b9c8d1de-593f-472f-b32a-7e2fe0c2374a

Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Communication Services (microsoft.communication/communicationservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

dcb324b0-3bfa-4df4-b476-64122bde219e

Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Scaling plans (microsoft.desktopvirtualization/scalingplans).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3496f6fd-57ba-485c-8a14-183c4493b781

Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

39078c44-b8d4-4c7d-8579-7f021d326ebf

Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Chaos Experiments (microsoft.chaos/experiments).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

d16cdb9f-e2a8-4002-88f6-9eeaea1766f7

Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

00ec9865-beb6-4cfd-82ed-bd8f50756acd

Enable logging by category group for microsoft.network/p2svpngateways to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

059e6dd0-544a-4c93-abad-b3ad77667339

Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Host pools (microsoft.desktopvirtualization/hostpools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

aaa4560d-9580-4804-a5e5-b9ffb469d49e

Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Data Explorer Clusters (microsoft.kusto/clusters).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

5d7409c0-fb8e-4052-9969-ef09f12fd166

Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Live events (microsoft.media/mediaservices/liveevents).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

08240c20-e48f-47d9-9305-2a8c4da75a3e

Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Storage movers (microsoft.storagemover/storagemovers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

bd0079c6-6f2d-42f4-9cee-e23930968f10

Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

d98f63ed-e319-4dc3-898f-600953a05f7e

Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Managed Grafana (microsoft.dashboard/grafana).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

cac9e1c5-c3cb-47fa-8d4c-88b8559262d2

Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

a6d488fc-3520-4ec8-9cf6-c5e78d677651

Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

6b80a35d-1e9a-43ac-9e0b-4519ce9f09b4

Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

db20d5eb-782b-4c4d-b668-06816ec72c58

Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for DICOM service (microsoft.healthcareapis/workspaces/dicomservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

c13b41e7-a45f-4600-96c0-18f84fb07771

Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.connectedcache/enterprisemcccustomers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

0277b2d5-6e6f-4d97-9929-a5c4eab56fd7

Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

20017523-2fd1-49a8-a766-79cbc572b827

Enable logging by category group for microsoft.timeseriesinsights/environments to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.timeseriesinsights/environments.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e6acdfc4-25e3-4b36-9b0c-5c5743edd1b7

Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Workspaces (microsoft.desktopvirtualization/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

116b1633-30d0-4e9a-a665-8aea3dc906c6

Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.servicenetworking/trafficcontrollers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

fc2bb2e1-739a-4a03-86a2-16ad55e90bd9

Enable logging by category group for microsoft.powerbi/tenants/workspaces to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.powerbi/tenants/workspaces.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

fc744b31-a930-4eb5-bc06-e81f98bf7214

Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

a12e0815-0735-48d9-b5b3-8a3b60a85b86

Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SCOPE pools (microsoft.synapse/workspaces/scopepools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

5e23caa9-3cea-4f5b-a181-ba6a3bdb91ef

Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure API for FHIR (microsoft.healthcareapis/services).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

6308bf75-8340-4bab-b2ec-2f5000697af4

Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

9cbc4c60-0db8-483c-999b-0f017a01a56b

Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid System Topics (microsoft.eventgrid/systemtopics).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

567c93f7-3661-494f-a30f-0a94d9bfebf8

Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

29565b0a-e1b5-49c1-94bf-b8b258656460

Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

47f4c5ae-1b43-4620-bcbd-65e2ee6fb7c8

Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

818719e5-1338-4776-9a9d-3c31e4df5986

Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

0bb5a1fb-b1ad-45fd-880e-a590f2ec8d1c

Enable logging by category group for microsoft.documentdb/cassandraclusters to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/cassandraclusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

4891dace-710e-40bd-b81f-6a0b9871b50b

Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Notification Hub Namespaces (microsoft.notificationhubs/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

944eae3e-6b16-4864-86e1-1b23d58386d5

Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

a271e156-b295-4537-b01d-09675d9e7851

Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

bfc6b185-2af1-4998-a32e-c0144792eeb2

Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Service Environments (microsoft.web/hostingenvironments).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

f0d25196-1ea4-49e1-ad53-ccada27b4862

Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for DICOM service (microsoft.healthcareapis/workspaces/dicomservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

4f925033-4d52-4619-909c-9c47a687dc51

Enable logging by category group for microsoft.networkcloud/storageappliances to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/storageappliances.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3372b9c2-d179-4190-9f0c-e6f6304d0e93

Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application groups (microsoft.desktopvirtualization/applicationgroups).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

852877d5-b61d-4741-b649-85a324bb3fd4

Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Shares (microsoft.datashare/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

46b2dd5d-3936-4347-8908-b298ea4466d3

Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

aa78af66-1659-40aa-90b0-b35b616adbdc

Enable logging by category group for microsoft.networkanalytics/dataproducts to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkanalytics/dataproducts.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

271ccc7b-8334-48c5-b90b-edf37dfb2d00

Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data factories (V2) (microsoft.datafactory/factories).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

557c828f-aa51-40d9-868a-cff8d3982818

Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

e1598217-5ff1-4978-b51d-f0238e100019

Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

ec51b91e-e03d-4435-b6e7-dcaffe6ba5c0

Enable logging by category group for microsoft.customproviders/resourceproviders to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

6a664864-e2b5-413e-b930-f11caa132f16

Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container Apps Environments (microsoft.app/managedenvironments).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

8def4bdd-4362-4ed6-a26f-7bf8f2c58839

Enable logging by category group for Search services (microsoft.search/searchservices) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Search services (microsoft.search/searchservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Monitoring

3d034ef2-001c-46f6-a47b-e6e4a74ff89b

Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

e9c56c41-d453-4a80-af93-2331afeb3d82

Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-29 17:47:10

BuiltIn

Monitoring

5edd2580-3272-4509-b121-57054b4c70c4

Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Topics (microsoft.eventgrid/partnertopics).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-04-29 17:47:10

BuiltIn

Managed Identity

93c45b74-42a1-4967-b25d-82c4dc630921

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines

Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview)

2024-04-22 16:32:55

BuiltIn

Communication

Communication service resource should use allow listed data location

Create a Communication service resource only from an allow listed data location. This data location determines where the data of the communication service resource will be stored at rest, ensuring your preferred allow listed data locations as this cannot be changed after resource creation.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-04-22 16:32:55

BuiltIn

Security Center

bcff6755-335b-484d-b435-d1161db39cdc

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.4.0 > 1.5.0)

2024-04-22 16:32:55

BuiltIn

Communication

Communication service resource should use a managed identity

Assigning a managed identity to your Communication service resource helps ensure secure authentication. This identity is used by this Communication service resource to communicate with other Azure services, like Azure Storage, in a secure way without you having to manage any credentials.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-04-22 16:32:55

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present.

Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.

Default
Mutate
Allowed
Mutate, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2024-04-22 16:32:55

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.4.0 > 1.5.0)

2024-04-22 16:32:55

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present.

Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster.

Default
Mutate
Allowed
Mutate, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2024-04-22 16:32:55

BuiltIn

Security Center

Configure the Microsoft Defender for SQL Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2024-04-22 16:32:55

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.4.0 > 1.5.0)

2024-04-22 16:32:55

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.0 > 1.4.0)

2024-04-22 16:32:55

BuiltIn

Managed Identity

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets

Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview)

2024-04-22 16:32:55

BuiltIn

Security Center

Create and assign a built-in user-assigned managed identity

Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (1.4.0 > 1.5.0)

2024-04-22 16:32:55

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.5.0 > 3.6.0)

2024-04-12 17:45:57

BuiltIn

Monitoring

Linux virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-04-12 17:45:57

BuiltIn

Guest Configuration

Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.

Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, old suffix: preview (1.2.0-preview > 1.2.1)

2024-04-12 17:45:57

BuiltIn

Kubernetes

3d5ed4c2-5e50-4c76-932b-8982691b68ae

[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set.

Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-04-12 17:45:57

BuiltIn

Security Center

Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers

Enable Advanced Threat Protection on your Azure database for MySQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-04-12 17:45:57

BuiltIn

Kubernetes

[Preview]: Restricts the CriticalAddonsOnly taint to just the system pool.

To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-04-12 17:45:57

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.4.0 > 3.5.0)

2024-04-12 17:45:57

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present.

Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-04-12 17:45:57

BuiltIn

Monitoring

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.4.0 > 3.5.0)

2024-04-12 17:45:57

BuiltIn

Security Center

Configure Microsoft Defender for Storage to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-12 17:45:57

BuiltIn

Monitoring

3dc5edcd-002d-444c-b216-e123bbfa37c0

Linux virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-04-12 17:45:57

BuiltIn

Guest Configuration

Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, old suffix: preview (1.1.0-preview > 1.1.1)

2024-04-12 17:45:57

BuiltIn

Monitoring

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.4.0 > 4.5.0)

2024-04-12 17:45:57

BuiltIn

Kubernetes

[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources

Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-04-12 17:45:57

BuiltIn

Monitoring

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor (3.5.0 > 3.6.0)

2024-04-12 17:45:57

BuiltIn

Monitoring

Linux Arc-enabled machines should have Azure Monitor Agent installed

Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-12 17:45:57

BuiltIn

Monitoring

d45520cb-31ca-44ba-8da2-fcf914608544

Configure Linux Arc-enabled machines to run Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.3.0 > 2.4.0)

2024-04-12 17:45:57

BuiltIn

Azure Ai Services

Configure Azure AI Services resources to disable local key access (disable local authentication)

Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 003
•Cognitive Services Contributor
•Cognitive Services OpenAI Contributor
•Search Service Contributor

add

new Policy

2024-04-12 17:45:57

BuiltIn

Azure Ai Services

55eff01b-f2bd-4c32-9203-db285f709d30

Configure Azure AI Services resources to disable local key access (disable local authentication)

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Cognitive Services Contributor
•Cognitive Services OpenAI Contributor

add

new Policy

2024-04-12 17:45:57

BuiltIn

Kubernetes

[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present.

Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-04-12 17:45:57

BuiltIn

Kubernetes

[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set.

Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers.

Default
Mutate
Allowed
Mutate, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-04-12 17:45:57

BuiltIn

Kubernetes

480851ae-9ff3-49d1-904c-b5bd6f83f1ec

[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present.

Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-04-08 17:52:20

BuiltIn

Monitoring

Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-08 17:52:20

BuiltIn

Monitoring

e20f31d7-6b6d-4644-962a-ae513a85ab0b

Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-08 17:52:20

BuiltIn

Monitoring

1513498c-3091-461a-b321-e9b433218d28

Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-08 17:52:20

BuiltIn

Monitoring

6567d3f3-42d0-4cfb-9606-9741ba60fa07

Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-08 17:52:20

BuiltIn

Kubernetes

[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set.

Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-04-08 17:52:20

BuiltIn

Kubernetes

1a3b9003-eac6-4d39-a184-4a567ace7645

[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources

Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-04-08 17:52:20

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster container images must include the preStop hook

Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-04-08 17:52:20

BuiltIn

Monitoring

9e6aee71-3781-4acd-bba7-aac4fb067dfa

Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-08 17:52:20

BuiltIn

Kubernetes

441af8bf-7c88-4efc-bd24-b7be28d4acce

[Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present.

Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-04-08 17:52:20

BuiltIn

Monitoring

Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-08 17:52:20

BuiltIn

Monitoring

fc602c00-2ce3-4556-b615-fa4159517103

Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-04-08 17:52:20

BuiltIn

Security Center

6e2593d9-add6-4083-9c9b-4b7d2188c899

Email notification for high severity alerts should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2024-04-08 17:52:20

BuiltIn

Kubernetes

021f8078-41a0-40e6-81b6-c6597da9f3ee

[Preview]: Kubernetes cluster container images should not include latest image tag

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-04-08 17:52:20

BuiltIn

Monitoring

39aa567d-69c2-4cc0-aaa9-76c6d4006b14

Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-08 17:52:20

BuiltIn

Kubernetes

[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set.

Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-04-08 17:52:20

BuiltIn

Cognitive Services

8656d368-0643-4374-a63f-ae0ed4da1d9a

[Deprecated]: Cognitive Services accounts should disable public network access

To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Minor, new suffix: deprecated (3.0.1 > 3.1.0-deprecated)

2024-04-08 17:52:20

BuiltIn

Monitoring

Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-04-08 17:52:20

BuiltIn

Security Center

0b15565f-aa9e-48ba-8619-45960f2c314d

Email notification to subscription owner for high severity alerts should be enabled

To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2024-04-08 17:52:20

BuiltIn

Kubernetes

[Preview]: Restricts the CriticalAddonsOnly taint to just the system pool.

To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools.

Default
Mutate
Allowed
Mutate, Disabled

add

new Policy

2024-04-08 17:52:20

BuiltIn

Network

Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics

If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.1.1 > 1.1.2)

2024-03-29 18:59:24

BuiltIn

Monitoring

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (6.2.0 > 6.3.0)

2024-03-29 18:59:24

BuiltIn

Monitoring

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.3.0 > 4.4.0)

2024-03-29 18:59:24

BuiltIn

Monitoring

ece3c79b-2caf-470d-a5f5-66470c4fc649

Windows virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-03-25 19:17:21

BuiltIn

DevCenter

[Preview]: Microsoft Dev Box Pools should not use Microsoft Hosted Networks.

Disallows the use of Microsoft Hosted Networks when creating Pool resources.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (6.1.0 > 6.2.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.2.0 > 4.3.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.3.0 > 4.4.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Windows Arc-enabled machines to run Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.3.0 > 2.4.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.1.0 > 2.2.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Windows virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.1.0 > 4.2.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.1.0 > 4.2.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.3.0 > 3.4.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.1.0 > 2.2.0)

2024-03-25 19:17:21

BuiltIn

Monitoring

d6588149-9f06-462c-a076-56aece45b5ba

Windows Arc-enabled machines should have Azure Monitor Agent installed

Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-03-25 19:17:21

BuiltIn

Backup

[Preview]: Azure Backup Vaults should use customer-managed keys for encrypting backup data. Also an option to enforce Infra Encryption.

This policy follows the 'effect' if Encryption Settings are enabled for Backup vaults in the scope. Additionally, option to check if Backup Vault also has Infrastructure Encryption enabled. Learn more at https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk. Please note that when 'Deny' effect is used, it would need you to enable Encryption Settings on the existing Backup Vaults in order to allow other update operations on the vault go through.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-03-25 19:17:21

BuiltIn

BuiltInPolicyTest

85793e88-5a58-4555-93fa-4df63c86ae9c

[Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn.

Only deploy Registry Models in the allowed Registry and that are not restricted.

Default
Disabled
Allowed
Deny, Disabled

change

Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated)

2024-03-15 22:15:34

BuiltIn

Kubernetes

[Preview]: Must Have Anti Affinity Rules Set

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2024-03-15 22:15:34

BuiltIn

Kubernetes

[Preview]: Cannot Edit Individual Nodes

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2024-03-15 22:15:34

BuiltIn

Kubernetes

f8d398ae-0441-4921-a341-40f3973d4647

[Preview]: Reserved System Pool Taints

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2024-03-15 22:15:34

BuiltIn

BuiltInPolicyTest

[Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn

This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy.

Default
Disabled
Allowed
Deny, Disabled

change

Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated)

2024-03-15 22:15:34

BuiltIn

Kubernetes

Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access

Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Minor (2.0.4 > 2.1.0)

2024-03-15 22:15:34

BuiltIn

Kubernetes

78460a36-508a-49a4-b2b2-2f5ec564f4bb

[Preview]: No AKS Specific Labels

Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2024-03-15 22:15:34

BuiltIn

General

Do not allow deletion of resource types

This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.

Default
DenyAction
Allowed
DenyAction, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2024-03-15 22:15:34

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2024-03-15 22:15:34

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster services should use unique selectors

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2024-03-15 22:15:34

BuiltIn

Security Center

[Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys)

As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.3 > 1.1.0-deprecated)

2024-03-15 22:15:34

BuiltIn

Security Center

83a0809a-a4e3-4ef2-8a24-2afc156607af

[Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys)

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (2.0.2 > 2.1.0-deprecated)

2024-03-15 22:15:34

BuiltIn

BuiltInPolicyTest

[Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn.

This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated)

2024-03-15 22:15:34

BuiltIn

Azure Ai Services

1b4d1c4e-934c-4703-944c-27c82c06bebb

Diagnostic logs in Azure AI services resources should be enabled

Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-03-11 18:31:50

BuiltIn

Kubernetes

c95b54ad-0614-4633-ab29-104b01235cbf

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Minor (4.0.1 > 4.1.0)

2024-03-11 18:31:50

BuiltIn

Trusted Launch

Virtual Machine should have TrustedLaunch enabled

Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-03-11 18:31:50

BuiltIn

Cache

766f5de3-c6c0-4327-9f4d-042ab8ae846c

Configure Azure Cache for Redis to disable non SSL ports

Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2024-03-11 18:31:50

BuiltIn

Azure Update Manager

Machines should be configured to periodically check for missing system updates

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.6.0 > 3.7.0)

2024-03-11 18:31:50

BuiltIn

Machine Learning

b03bb370-5249-4ea4-9fce-2552e87e45fa

Configure Azure Machine Learning Computes to disable local authentication methods

Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy.

Default
Modify
Allowed
Modify, Disabled

change

Minor (2.0.1 > 2.1.0)

2024-03-11 18:31:50

BuiltIn

Trusted Launch

Disks and OS image should support TrustedLaunch

TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://aka.ms/trustedlaunch

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-03-11 18:31:50

BuiltIn

Azure Ai Services

Azure AI Services resources should restrict network access

By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-03-11 18:31:50

BuiltIn

Machine Learning

Azure Machine Learning Computes should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.1 > 2.1.0)

2024-03-11 18:31:50

BuiltIn

Azure Update Manager

7384fde3-11b0-4047-acbd-b3cf3cc8ce07

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Minor (4.7.0 > 4.8.0)

2024-03-11 18:31:50

BuiltIn

Stack HCI

[Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies

This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/dad3a6b9-4451-492f-a95c-69efc6f3fada. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated)

2024-03-01 17:50:27

BuiltIn

Mobile Network

45c4e9bd-ad6b-4634-9566-c2dad2f03cbf

SIM Group should use customer-managed keys to encrypt data at rest

Use customer-managed keys to manage the encryption at rest of SIM secrets in a SIM Group. Customer-managed keys are commonly required to meet regulatory compliance standards and they enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-03-01 17:50:27

BuiltIn

Stack HCI

dad3a6b9-4451-492f-a95c-69efc6f3fada

[Preview]: Azure Stack HCI servers should have consistently enforced application control policies

At a minimum, apply the Microsoft WDAC base policy in enforced mode on all Azure Stack HCI servers. Applied Windows Defender Application Control (WDAC) policies must be consistent across servers in the same cluster.

Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists

add

new Policy

2024-03-01 17:50:27

BuiltIn

Stack HCI

56c47221-b8b7-446e-9ab7-c7c9dc07f0ad

[Deprecated]: Azure Stack HCI servers should meet Secured-core requirements

This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/5e6bf724-0154-49bc-985f-27b2e07e636b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated)

2024-03-01 17:50:27

BuiltIn

Stack HCI

aee306e7-80b0-46f3-814c-d3d3083ed034

[Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems

This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/36f0d6bc-a253-4df8-b25b-c3a5023ff443. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated)

2024-03-01 17:50:27

BuiltIn

Kubernetes

7508b186-60e2-4518-bf70-3d7fbaba1f3a

Disable Command Invoke on Azure Kubernetes Service clusters

Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Minor (1.1.0 > 1.2.0)

2024-03-01 17:50:27

BuiltIn

Mobile Network

Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID

Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2024-03-01 17:50:27

BuiltIn

Stack HCI

5e6bf724-0154-49bc-985f-27b2e07e636b

[Preview]: Azure Stack HCI servers should meet Secured-core requirements

Ensure that all Azure Stack HCI servers meet the Secured-core requirements. To enable the Secured-core server requirements: 1. From the Azure Stack HCI clusters page, go to Windows Admin Center and select Connect. 2. Go to the Security extension and select Secured-core. 3. Select any setting that is not enabled and click Enable.

Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists

add

new Policy

2024-03-01 17:50:27

BuiltIn

Stack HCI

36f0d6bc-a253-4df8-b25b-c3a5023ff443

[Preview]: Host and VM networking should be protected on Azure Stack HCI systems

Protect data on the Azure Stack HCI hosts network and on virtual machine network connections.

Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists

add

new Policy

2024-03-01 17:50:27

BuiltIn

Stack HCI

ee8ca833-1583-4d24-837e-96c2af9488a4

[Preview]: Azure Stack HCI systems should have encrypted volumes

Use BitLocker to encrypt the OS and data volumes on Azure Stack HCI systems.

Default
AuditIfNotExists
Allowed
Audit, Disabled, AuditIfNotExists

add

new Policy

2024-03-01 17:50:27

BuiltIn

Mobile Network

aec63c84-f9ea-46c7-9e66-ba567bae0f09

Packet Core Control Plane diagnostic access should only use Microsoft EntraID authentication type

Authenticaton type must be Microsoft EntraID for packet core diagnostic access over local APIs

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-03-01 17:50:27

BuiltIn

Stack HCI

ae95f12a-b6fd-42e0-805c-6b94b86c9830

[Deprecated]: Azure Stack HCI systems should have encrypted volumes

This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Disabled

change

Minor, suffix changed: new suffix: deprecated; old suffix: preview (1.0.0-preview > 1.1.0-deprecated)

2024-03-01 17:50:27

BuiltIn

Backup

d6f6f560-14b7-49a4-9fc8-d2c3a9807868

[Preview]: Immutability must be enabled for Recovery Services vaults

This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults.

Default
Audit
Allowed
Audit, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2024-02-27 19:10:20

BuiltIn

BuiltInPolicyTest

98cec160-6f57-4d11-86e2-0a03290a3a8a

[Deprecated]: Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names. Versioning Test BuiltIn.

This is a test policy only for internal use by Policy team. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated)

2024-02-27 19:10:20

BuiltIn

Healthcare APIs

14961b63-a1eb-4378-8725-7e84ca8db0e6

DICOM Service should use a customer-managed key to encrypt data at rest

Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services DICOM Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-02-27 19:10:20

BuiltIn

BuiltInPolicyTest

85793e88-5a58-4555-93fa-4df63c86ae9c

[Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn.

Only deploy Registry Models in the allowed Registry and that are not restricted.

Default
Disabled
Allowed
Deny, Disabled

change

Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated)

2024-02-27 19:10:20

BuiltIn

Monitoring

f8d398ae-0441-4921-a341-40f3973d4647

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.0.0 > 4.1.0)

2024-02-27 19:10:20

BuiltIn

BuiltInPolicyTest

[Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn

Default
Disabled
Allowed
Deny, Disabled

change

Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated)

2024-02-27 19:10:20

BuiltIn

Kubernetes

41a72361-06e3-4e80-832a-690bd0708bc1

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.0.4 > 4.1.0)

2024-02-27 19:10:20

BuiltIn

VirtualEnclaves

Configure Storage Accounts to restrict network access through network ACL bypass configuration only.

To improve the security of Storage Accounts, enable access only through network ACL bypass. This policy should be used in combination with a private endpoint for storage account access.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2024-02-27 19:10:20

BuiltIn

Healthcare APIs

c42dee8c-0202-4a12-bd8e-3e171cbf64dd

FHIR Service should use a customer-managed key to encrypt data at rest

Use a customer-managed key to control the encryption at rest of the data stored in Azure Health Data Services FHIR Service when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-02-27 19:10:20

BuiltIn

Monitoring

fa8af49a-f61d-4f56-9138-46b77d37df43

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.0.1 > 4.1.0)

2024-02-27 19:10:20

BuiltIn

BuiltInPolicyTest

[Deprecated]: Keys should have a rotation policy within the specified number of days after creation. Versioning Test BuiltIn.

This is a test policy only for internal use by Policy team. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated.

Default
Audit
Allowed
Audit, Disabled

change

Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated)

2024-02-27 19:10:20

BuiltIn

Backup

2514263b-bc0d-4b06-ac3e-f262c0979018

[Preview]: Immutability must be enabled for backup vaults

This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults.

Default
Audit
Allowed
Audit, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2024-02-27 19:10:20

BuiltIn

BuiltInPolicyTest

83a0809a-a4e3-4ef2-8a24-2afc156607af

[Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn.

This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Major, suffix remains equal (1.0.0-deprecated > 2.1.0-deprecated)

2024-02-27 19:10:20

BuiltIn

Monitoring

7809fda1-ba27-48c1-9c63-1f5aee46ba89

Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-02-27 19:10:20

BuiltIn

VirtualEnclaves

Storage Accounts should restrict network access through network ACL bypass configuration only.

To improve the security of Storage Accounts, enable access only through network ACL bypass. This policy should be used in combination with a private endpoint for storage account access.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-27 19:10:20

BuiltIn

Monitoring

71ef260a-8f18-47b7-abcb-62d0673d94dc

Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-02-27 19:10:20

BuiltIn

Azure Ai Services

Azure AI Services resources should have key access disabled (disable local authentication)

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-02-20 22:44:08

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.1.0 > 9.2.0)

2024-02-20 22:44:08

BuiltIn

Azure Update Manager

682e4ab9-59fe-4871-9839-265b54c568c4

Machines should be configured to periodically check for missing system updates

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.5.0 > 3.6.0)

2024-02-20 22:44:08

BuiltIn

Resilience

[Preview]: Public IP addresses should be Zone Resilient

Public IP addresses can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP addresses that are regional, with exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP addresses that are regional, with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-02-20 22:44:08

BuiltIn

Kubernetes

[Preview]: No AKS Specific Labels

Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview)

2024-02-20 22:44:08

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-02-20 22:44:08

BuiltIn

Kubernetes

Ensure cluster containers have readiness or liveness probes configured

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-02-20 22:44:08

BuiltIn

Kubernetes

90bc8109-d21a-4692-88fc-51419391da3d

[Preview]: Reserved System Pool Taints

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview)

2024-02-20 22:44:08

BuiltIn

Resilience

[Preview]: Azure AI Search Service should be Zone Redundant

Azure AI Search Service can be configured to be Zone Redundant or not. Availability zones are used when you add two or more replicas to your search service. Each replica is placed in a different availability zone within the region.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Backup

18314dc7-a25d-420c-a069-f094b25ff919

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.1.0 > 9.2.0)

2024-02-20 22:44:08

BuiltIn

Resilience

[Preview]: NAT gateway should be Zone Aligned

NAT gateway can be configured to be Zone Aligned or not. NAT gateway that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an NAT gateway is configured to operate within a single availability zone.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster services should use unique selectors

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-02-20 22:44:08

BuiltIn

Azure Update Manager

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Minor (4.5.0 > 4.7.0)

2024-02-20 22:44:08

BuiltIn

SQL

493c215d-2554-5976-bc81-57d2c04fc8c1

[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.

To ensure that SQL Server - Azure Arc resources are created by default when SQL Server instance is found on Azure Arc enabled Windows/Linux Server, the latter should have the SQL Server extension installed. This policy is deprecated because we are migrating to a more streamlined. recommended and automated process of onboarding Arc Servers with SQL installed onto the Azure extension for SQL Server. Learn more about the auto-onboarding process at https://aka.ms/SQLServerExtensionPolicyDeprecation

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, new suffix: deprecated (3.4.0 > 3.4.1-deprecated)

2024-02-20 22:44:08

BuiltIn

Resilience

[Preview]: Azure Database for MySQL Flexible Server should be Zone Resilient

Azure Database for MySQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. MySQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, MySQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Resilience

18314dc7-a25d-420c-a069-f094b25ff91b

[Preview]: Firewalls should be Zone Resilient

Firewalls can be configured to be either Zone Aligned, Zone Redundant, or neither. Firewalls that have exactly one entry in its zones array are considered Zone Aligned. In contrast, Firewalls with 3 or more entries in its zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Resilience

f58e8c0a-3c79-431a-abf8-cd1b895478e8

[Preview]: Container Instances should be Zone Aligned

Container Instances can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Resilience

bf45a74c-ed4f-4300-8afe-d6f0abdfe75b

[Preview]: Azure HDInsight should be Zone Aligned

Azure HDInsight can be configured to be Zone Aligned or not. Azure HDInsight that has exactly one entry in its zones array is considered Zone Aligned. This policy ensures that an Azure HDInsight cluster is configured to operate within a single availability zone.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (9.1.1 > 9.2.0)

2024-02-20 22:44:08

BuiltIn

Kubernetes

ae243d87-5cf3-4dce-90bd-6d62be328de3

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.1.0 > 6.2.0)

2024-02-20 22:44:08

BuiltIn

Resilience

[Preview]: Backup and Site Recovery should be Zone Redundant

Backup and Site Recovery can be configured to be Zone Redundant or not. Backup and Site Recovery is Zone Redundant if it's 'standardTierStorageRedundancy' property is set to 'ZoneRedundant'. Enforcing this policy helps ensure that Backup and Site Recovery is appropriately configured for zone resilience, reducing the risk of downtime during zone outages.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present

Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-02-20 22:44:08

BuiltIn

Backup

42daa904-5969-47ef-92fb-b75df946195a

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.1.0 > 9.2.0)

2024-02-20 22:44:08

BuiltIn

Resilience

[Preview]: Container App should be Zone Redundant

Container App can be configured to be Zone Redundant or not. A Container App is Zone Redundant if its managed environment's 'ZoneRedundant' property is set to true. This policy identifies Container App lacking the redundancy needed to withstand a zone outage.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.1.0 > 9.2.0)

2024-02-20 22:44:08

BuiltIn

Kubernetes

42daa901-5969-47ef-92cb-b75df946195a

[Preview]: Cannot Edit Individual Nodes

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.3-preview > 1.1.0-preview)

2024-02-20 22:44:08

BuiltIn

Resilience

[Preview]: Load Balancers should be Zone Resilient

Load Balancers with a sku other than Basic inherit the resilience of the Public IP addresses in their frontend. When combined with the 'Public IP addresses should be Zone Resilient' policy, this approach ensures the necessary redundancy to withstand a zone outage.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Resilience

493c215d-2553-4976-bc81-57d2c04fc8c1

[Preview]: Azure Database for PostgreSQL Flexible Server should be Zone Resilient

Azure Database for PostgreSQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. PostgreSQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, PostgreSQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Azure Ai Services

Azure AI Services resources should restrict network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.0.0 > 3.1.0)

2024-02-20 22:44:08

BuiltIn

Kubernetes

[Preview]: Must Have Anti Affinity Rules Set

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.1-preview > 1.1.0-preview)

2024-02-20 22:44:08

BuiltIn

Kubernetes

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (9.1.0 > 9.2.0)

2024-02-20 22:44:08

BuiltIn

Kubernetes

4bd1f3c0-9443-49ad-b8bc-7c17a92b5924

Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.1.0 > 2.2.0)

2024-02-20 22:44:08

BuiltIn

Resilience

[Preview]: Backup Vaults should be Zone Redundant

Backup Vaults can be configured to be Zone Redundant or not. Backup Vaults are Zone Redundant if it's storage settings type is set to 'ZoneRedundant' and they are considered to be resilient. Geo Redundant or Locally Redundant Backup Vaults are not considered resilient. Enforcing this policy helps ensure that Backup Vaults are appropriately configured for zone resilience, reducing the risk of downtime during zone outages.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Resilience

493c215c-0553-4976-bc81-57d2c04fc8c1

[Preview]: Application Gateways should be Zone Resilient

Application Gateways can be configured to be either Zone Aligned, Zone Redundant, or neither. Application Gatewaysmthat havenexactly one entry in their zones array are considered Zone Aligned. In contrast, Application Gatmways withn3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-02-20 22:44:08

BuiltIn

Resilience

42daa904-5969-47ef-92cb-b75df946195a

[Preview]: API Management Service should be Zone Redundant

API Management Service can be configured to be Zone Redundant or not. An API Management Service is Zone Redundant if its sku name is 'Premium' and it has at least two entries in it's zones array. This policy identifies API Management Services lacking the redundancy needed to withstand a zone outage.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2024-02-20 22:44:08

BuiltIn

Key Vault

12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5

Azure Key Vault should use RBAC permission model

Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2024-02-13 19:27:15

BuiltIn

Network

3e9965dc-cc13-47ca-8259-a4252fd0cf7b

Configure virtual network to enable Flow Log and Traffic Analytics

Traffic analytics and Flow logs can be enabled for all virtual networks hosted in a particular region with the settings provided during policy creation. This policy does not overwrite current setting for virtual networks that already have these feature enabled. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.1.0 > 1.1.1)

2024-02-13 19:27:15

BuiltIn

Security Center

48666c5d-cec1-4043-ab6b-1be05abb24f2

Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_UNIFIED_SOLUTION)

Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_UNIFIED_SOLUTION), for enabling auto provisioning of MDE Unified Agent for Windows Server 2012R2 and 2016. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Network

cd6f7aff-2845-4dab-99f2-6d1754a754b0

Deploy a Flow Log resource with target virtual network

Configures flow log for specific virtual network. It will allow to log information about IP traffic flowing through an virtual network. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.1.0 > 1.1.1)

2024-02-13 19:27:15

BuiltIn

Key Vault

cdd1dbc6-0004-4fcd-afd7-b67550de37ff

Certificates should not expire within the specified number of days

Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, old suffix: preview (2.1.0-preview > 2.1.1)

2024-02-13 19:27:15

BuiltIn

Monitoring

Enable logging by category group for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Backup

4510daf9-5abc-4d7d-a11d-d84416b814f6

[Preview]: Azure Backup should be enabled for Blobs in Storage Accounts

Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Monitoring

a4490248-cb97-4504-b7fb-f906afdb7437

Enable logging by category group for Firewall (microsoft.network/azurefirewalls) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewall (microsoft.network/azurefirewalls).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Backup

a25a41a7-a769-4271-841d-7ce0297be0c0

[Preview]: Azure Backup should be enabled for Managed Disks

Ensure protection of your Managed Disks by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Monitoring

244bcb20-b194-41f3-afcc-63aef382b64c

Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics (Virtual Enclaves)

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.4.0 > 3.5.0)

2024-02-13 19:27:15

BuiltIn

Monitoring

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor (3.4.0 > 3.5.0)

2024-02-13 19:27:15

BuiltIn

Monitoring

f9e2bd2f-47c7-4059-8265-c5292aa62c8a

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.3.0 > 3.4.0)

2024-02-13 19:27:15

BuiltIn

Security Center

Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_EXCLUDE_LINUX...)

Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_EXCLUDE_LINUX_...), for enabling auto provisioning of MDE for Linux servers. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Monitoring

6bb23bce-54ea-4d3d-b07d-628ce0f2e4e3

Enable logging by category group for Workspace (microsoft.desktopvirtualization/workspaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Workspace (microsoft.desktopvirtualization/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Security Center

da56d295-2889-41ce-a4cd-6f50fb93aa68

Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP)

Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP), for Windows downlevel machines onboarded to MDE via MMA, and auto provisioning of MDE on Windows Server 2019 , Windows Virtual Desktop and above. Must be turned on in order for the other settings (WDATP_UNIFIED, etc.) to work. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Backup

fda9cd0b-094c-4cd5-ac2a-5e06e5277c45

[Preview]: Azure Backup Extension should be installed in AKS clusters

Ensure protection installation of backup extension in your AKS Clusters to leverage Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Monitoring

6f95136f-6544-4722-a354-25a18ddb18a7

Enable logging by category group for Host pool (microsoft.desktopvirtualization/hostpools) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Host pool (microsoft.desktopvirtualization/hostpools).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

ChangeTrackingAndInventory

0b0434ec-2bad-4229-965f-bb7ae5a71257

Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2024-02-13 19:27:15

BuiltIn

Backup

[Preview]: Azure Backup should be enabled for AKS clusters

Ensure protection of your AKS Clusters by enabling Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

ChangeTrackingAndInventory

Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview)

2024-02-13 19:27:15

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.3.0 > 3.4.0)

2024-02-13 19:27:15

BuiltIn

Network

Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.1.0 > 1.1.1)

2024-02-13 19:27:15

BuiltIn

Key Vault

c0d8e23a-47be-4032-961f-8b0ff3957061

Certificates should have the specified maximum validity period

Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, old suffix: preview (2.2.0-preview > 2.2.1)

2024-02-13 19:27:15

BuiltIn

Monitoring

Enable logging by category group for App Service (microsoft.web/sites) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service (microsoft.web/sites).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Monitoring

e9c22e0d-1f03-44da-a9d5-a9754ea53dc4

Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Function App (microsoft.web/sites).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Monitoring

3aa571d2-2e4f-4e92-8a30-4312860efbe1

Enable logging by category group for Application group (microsoft.desktopvirtualization/applicationgroups) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Application group (microsoft.desktopvirtualization/applicationgroups).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Monitoring

45c6bfc7-4520-4d64-a158-730cd92eedbc

Enable logging by category group for Azure Cosmos DB (microsoft.documentdb/databaseaccounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB (microsoft.documentdb/databaseaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

ChangeTrackingAndInventory

d38668f5-d155-42c7-ab3d-9b57b50f8fbf

Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2024-02-13 19:27:15

BuiltIn

Security Center

Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers

Audit PostgreSQL flexible servers without Advanced Data Security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-02-13 19:27:15

BuiltIn

Security Center

Deploy-MDFC-SQL-DefenderSQL-DCR

[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn

2024-02-05 19:33:54

ALZ

Security Center

17bc14a7-92e1-4551-8b8c-80f36953e166

Configure Azure Defender for Resource Manager to be enabled

Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center .

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.2 > 1.1.0)

2024-01-31 19:57:15

BuiltIn

Security Center

Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only)

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.2 > 1.1.0)

2024-01-31 19:57:15

BuiltIn

Security Center

Deploy-MDFC-SQL-DefenderSQL

[Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL (ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) BuiltIn

2024-01-31 19:57:15

ALZ

Monitoring

Deploy-Diagnostics-MariaDB

[Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace

Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. Deprecating due to service retirement, https://learn.microsoft.com/en-us/azure/mariadb/whats-happening-to-mariadb

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2024-01-31 19:57:15

ALZ

Managed Identity

Deploy-UserAssignedManagedIdentity-VMInsights

[Deprecated]: Deploy User Assigned Managed Identity for VM Insights

Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2024-01-31 19:57:15

ALZ

Security Center

Deploy-MDFC-SQL-AMA

[Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

Superseded by: Configure SQL Virtual Machines to automatically install Azure Monitor Agent (f91991d1-5383-4c95-8ee5-5ac423dd8bb1) BuiltIn

2024-01-31 19:57:15

ALZ

Security Center

Deploy-MDFC-SQL-DefenderSQL-DCR

[Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn

2024-01-31 19:57:15

ALZ

Security Center

Deploy-MDFC-Arc-Sql-DefenderSQL-DCR

[Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

Superseded by: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (63d03cbd-47fd-4ee1-8a1c-9ddf07303de0) BuiltIn

2024-01-31 19:57:15

ALZ

Security Center

72f8cee7-2937-403d-84a1-a4e3e57f3c21

Configure Microsoft Defender for Key Vault plan

Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.2 > 1.1.0)

2024-01-31 19:57:15

BuiltIn

Security Center

Configure Microsoft Defender CSPM plan

Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-01-31 19:57:15

BuiltIn

Security Center

efd4031d-b232-4595-babf-ae817348e91b

Configure Microsoft Defender for Containers plan

New capabilities are continuously being added to Defender for Containers plan, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-01-31 19:57:15

BuiltIn

Kubernetes

5eb6d64a-4086-4d7a-92da-ec51aed0332d

[Preview]: Cannot Edit Individual Nodes

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview)

2024-01-31 19:57:15

BuiltIn

Security Center

Configure Microsoft Defender for Servers plan

New capabilities are continuously being added to Defender for Servers, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-01-31 19:57:15

BuiltIn

Network

Deploy-MDFC-Arc-SQL-DCR-Association

Management port access from the Internet should be blocked

This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.

Default
Deny
Allowed
Audit, Deny, Disabled

change

Patch (2.1.0 > 2.1.1)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)

2024-01-31 19:57:15

ALZ

Security Center

[Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR

Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

Superseded by: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR (2227e1f1-23dd-4c3a-85a9-7024a401d8b2) BuiltIn

2024-01-31 19:57:15

ALZ

Synapse

738949be-6fd2-46b9-b969-99b53712b192

Configure Synapse Workspaces to use only Microsoft Entra identities for authentication

Require and reconfigure Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled and re-enables Microsoft Entra-only authentication on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2024-01-24 19:15:51

BuiltIn

Stack HCI

aee306e7-80b0-46f3-814c-d3d3083ed034

[Deprecated]: Host and VM networking should be protected on Azure Stack HCI systems

This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/36f0d6bc-a253-4df8-b25b-c3a5023ff443. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Disabled

add

new Policy

2024-01-24 19:15:51

BuiltIn

Azure Update Manager

78215662-041e-49ed-a9dd-5385911b3a1f

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Minor (4.4.1 > 4.5.0)

2024-01-24 19:15:51

BuiltIn

SQL

Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation

Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-01-24 19:15:51

BuiltIn

Stack HCI

56c47221-b8b7-446e-9ab7-c7c9dc07f0ad

[Deprecated]: Azure Stack HCI servers should meet Secured-core requirements

This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/5e6bf724-0154-49bc-985f-27b2e07e636b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Disabled

add

new Policy

2024-01-24 19:15:51

BuiltIn

Azure Update Manager

2158ddbe-fefa-408e-b43f-d4faef8ff3b8

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.9.1 > 3.10.0)

2024-01-24 19:15:51

BuiltIn

Synapse

Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation

Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-01-24 19:15:51

BuiltIn

Key Vault

d3e82b87-6673-410b-8501-1896b688b9a3

[Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities

Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-01-24 19:15:51

BuiltIn

Backup

c7031eab-0fc0-4cd9-acd0-4497bd66d91a

[Preview]: Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults.

This policy audits if Multi-User Authorization (MUA) is enabled for Recovery Services Vaults. MUA helps in securing your Recovery Services Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/MUAforRSV.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-01-24 19:15:51

BuiltIn

Stack HCI

ae95f12a-b6fd-42e0-805c-6b94b86c9830

[Deprecated]: Azure Stack HCI systems should have encrypted volumes

This policy is deprecated because it targets security settings resource. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID /providers/Microsoft.Authorization/policyDefinitions/ee8ca833-1583-4d24-837e-96c2af9488a4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Disabled

add

new Policy

2024-01-24 19:15:51

BuiltIn

SQL

abda6d70-9778-44e7-84a8-06713e6db027

Azure SQL Database should have Microsoft Entra-only authentication enabled during creation

Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-01-24 19:15:51

BuiltIn

SQL

0c28c3fb-c244-42d5-a9bf-f35f2999577b

Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled

Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-01-24 19:15:51

BuiltIn

Stack HCI

7384fde3-11b0-4047-acbd-b3cf3cc8ce07

[Deprecated]: Azure Stack HCI servers should have consistently enforced application control policies

Default
Disabled
Allowed
Audit, Disabled

add

new Policy

2024-01-24 19:15:51

BuiltIn

Synapse

6ea81a52-5ca7-4575-9669-eaa910b7edf8

Synapse Workspaces should have Microsoft Entra-only authentication enabled

Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-01-24 19:15:51

BuiltIn

SQL

b3a22bc9-66de-45fb-98fa-00f5df42f41a

Azure SQL Database should have Microsoft Entra-only authentication enabled

Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-01-24 19:15:51

BuiltIn

Azure Update Manager

c3624673-d2ff-48e0-b28c-5de1c6767c3c

Machines should be configured to periodically check for missing system updates

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.4.1 > 3.5.0)

2024-01-24 19:15:51

BuiltIn

Synapse

Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation

Require and reconfigure Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/Synapse.

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-01-24 19:15:51

BuiltIn

Security Center - Granular Pricing

080fedce-9d4a-4d07-abf0-9f036afbc9c8

Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag

Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will disable the Defender for Servers plan for all resources (VMs, VMSSs and ARC Machines) that have the selected tag name and tag value(s).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

Guest Configuration

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.

Fixed
modify

change

Minor (4.0.0 > 4.1.0)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

Configure Linux Server to disable local users.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

Authentication to Linux machines should require SSH keys

Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

Audit Linux machines that do not have the passwd file permissions set to 0644

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

98cec160-6f57-4d11-86e2-0a03290a3a8a

Audit Linux machines that have accounts without passwords

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2024-01-22 17:47:54

BuiltIn

BuiltInPolicyTest

[Deprecated]: Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names. Versioning Test BuiltIn.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

BuiltInPolicyTest

fa8af49a-f61d-4f56-9138-46b77d37df43

[Deprecated]: Keys should have a rotation policy within the specified number of days after creation. Versioning Test BuiltIn.

This is a test policy only for internal use by Policy team. Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

SQL

Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers

Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

fad40cac-a972-4db0-b204-f1b15cced89a

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities

This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.

Fixed
modify

change

Minor (4.0.0 > 4.1.0)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

Local authentication methods should be disabled on Linux machines

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2024-01-22 17:47:54

BuiltIn

BuiltInPolicyTest

f8d398ae-0441-4921-a341-40f3973d4647

[Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn

Default
Disabled
Allowed
Deny, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

SQL

63594bb8-43bb-4bf0-bbf8-c67e5c28cb65

Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers

Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

[Preview]: Linux machines should meet STIG compliance requirement for Azure compute

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirement for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2024-01-22 17:47:54

BuiltIn

BuiltInPolicyTest

83a0809a-a4e3-4ef2-8a24-2afc156607af

[Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn.

This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

Guest Configuration

c58e083e-7982-4e24-afdc-be14d312389e

[Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled

This policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-deprecated > 1.2.0-deprecated)

2024-01-22 17:47:54

BuiltIn

Backup

[Preview]: Multi-User Authorization (MUA) must be enabled for Backup Vaults.

This policy audits if Multi-User Authorization (MUA) is enabled for Backup Vaults. MUA helps in securing your Backup Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/mua-for-bv.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

Guest Configuration

70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f

[Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. The machine is not configured correctly for one of the recommendations in the Azure security baseline for Docker hosts.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

f6ff485a-7630-4730-854d-cd3ad855435e

Audit Linux machines that don't have the specified applications installed

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (4.1.0 > 4.2.0)

2024-01-22 17:47:54

BuiltIn

Security Center - Granular Pricing

Configure Azure Defender for Servers to be disabled for all resources (resource level)

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

Guest Configuration

e79ffbda-ff85-465d-ab8e-7e58a557660f

[Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Due to a security fix included in version 1.6.8-1 of the OMI package for Linux, all machines should be updated to the latest release. Upgrade apps/packages that use OMI to resolve the issue. For more information, see https://aka.ms/omiguidance.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2024-01-22 17:47:54

BuiltIn

ElasticSan

1abc5157-29f8-4dbd-b28e-ff99526cb8b7

ElasticSan Volume Group should use private endpoints

Private endpoints lets administrator connect virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to volume group, administrator can reduce data leakage risks

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

Guest Configuration

[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines

This policy adds a user-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration. A user-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview)

2024-01-22 17:47:54

BuiltIn

SQL

Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers

Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs

Fixed
deployIfNotExists

change

Minor (3.0.0 > 3.1.0)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

2a6ae02f-7590-40d7-88ba-b18e205a32fd

Audit Linux machines that have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (4.1.0 > 4.2.0)

2024-01-22 17:47:54

BuiltIn

Security Center

Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers

Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-01-22 17:47:54

BuiltIn

Guest Configuration

1b8c0040-b224-4ea1-be6a-47254dd5a207

Linux machines should meet requirements for the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.1.0 > 2.2.0)

2024-01-22 17:47:54

BuiltIn

Security Center - Granular Pricing

Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources (resource level)

Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) in the selected scope (subscription or resource group).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

Guest Configuration

85793e88-5a58-4555-93fa-4df63c86ae9c

Linux machines should only have local accounts that are allowed

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.1.0 > 2.2.0)

2024-01-22 17:47:54

BuiltIn

BuiltInPolicyTest

[Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn.

Only deploy Registry Models in the allowed Registry and that are not restricted.

Default
Disabled
Allowed
Deny, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

ElasticSan

6a92fe1f-0b86-44ae-843d-2db3d2b571ae

ElasticSan should disable public network access

Disable public network access for your ElasticSan so that it's not accessible over the public internet. This can reduce data leakage risks.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

Security Center - Granular Pricing

9e4879d9-c2a0-4e40-8017-1a5a5327c843

Configure Azure Defender for Servers to be enabled ('P1' subplan) for all resources (resource level) with the selected tag

Azure Defender for Servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. This policy will enable the Defender for Servers plan (with 'P1' subplan) for all resources (VMs and ARC Machines) that have the selected tag name and tag value(s).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2024-01-22 17:47:54

BuiltIn

Guest Configuration

Audit Linux machines that allow remote connections from accounts without passwords

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2024-01-22 17:47:54

BuiltIn

Security Center

752154a7-1e0f-45c6-a880-ac75a7e4f648

Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.1 > 1.2.0)

2024-01-12 18:35:06

BuiltIn

Monitoring

Public IP addresses should have resource logs enabled for Azure DDoS Protection

Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-01-12 18:35:06

BuiltIn

Security Center

[Deprecated]: Configure Azure Defender for DNS to be enabled

This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8e86a5b6-b9bd-49d1-8e21-4bb8a0862222. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.2 > 1.1.0-deprecated)

2024-01-12 18:35:06

BuiltIn

Security Center

c6283572-73bb-4deb-bf2c-7a2b8f7462cb

[Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys)

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2024-01-12 18:35:06

BuiltIn

Security Center

SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan

To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: https://aka.ms/SQLAMAMigration

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2024-01-12 18:35:06

BuiltIn

VirtualEnclaves

ead33d15-8ff9-44d8-be85-24144ecc859e

Do not allow creation of resource types outside of the allowlist

This policy prevents deployment of resource types outside of the explicitly allowed types, in order to maintain security in a virtual enclave. https://aka.ms/VirtualEnclaves

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-01-12 18:35:06

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.2 > 1.3.0)

2024-01-12 18:35:06

BuiltIn

Security Center

a7aca53f-2ed4-4466-a25e-0b45ade68efd

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.2 > 1.3.0)

2024-01-12 18:35:06

BuiltIn

Security Center

Azure DDoS Protection should be enabled

DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (3.0.0 > 3.0.1)

2024-01-12 18:35:06

BuiltIn

Security Center

94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.1 > 1.3.0)

2024-01-12 18:35:06

BuiltIn

Network

Virtual networks should be protected by Azure DDoS Protection

Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs.

Default
Modify
Allowed
Modify, Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-01-12 18:35:06

BuiltIn

Data Factory

SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network

Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.2.0 > 2.3.0)

2024-01-12 18:35:06

BuiltIn

Security Center

3e9965dc-cc13-47ca-8259-a4252fd0cf7b

Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR

Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.2 > 1.1.0)

2024-01-12 18:35:06

BuiltIn

Network

Configure virtual network to enable Flow Log and Traffic Analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-01-12 18:35:06

BuiltIn

Backup

31b8092a-36b8-434b-9af7-5ec844364148

[Preview]: Soft delete must be enabled for Recovery Services Vaults.

This policy audits if soft delete is enabled for Recovery Services Vaults in the scope. Soft delete can help you recover your data even after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2024-01-12 18:35:06

BuiltIn

VirtualEnclaves

337ef0ec-0703-499e-a57c-b4155034e606

Do not allow creation of specified resource types or types under specific providers

The resource providers and types specified via parameter list are not allowed to be created without explicit approval from the security team. If an exemption is granted to the policy assignment, the resource can be leveraged within the enclave. https://aka.ms/VirtualEnclaves

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-01-12 18:35:06

BuiltIn

Security Center

[Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys)

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.1 > 2.0.2)

2024-01-12 18:35:06

BuiltIn

Kubernetes

Disable Command Invoke on Azure Kubernetes Service clusters

Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Minor (1.0.3 > 1.1.0)

2024-01-12 18:35:06

BuiltIn

Security Center

4c3c6c5f-0d47-4402-99b8-aa543dd8bcee

Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.2 > 1.3.0)

2024-01-12 18:35:06

BuiltIn

Network

Audit flow logs configuration for every virtual network

Audit for virtual network to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through virtual network. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-01-12 18:35:06

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.1 > 1.4.0)

2024-01-12 18:35:06

BuiltIn

Security Center

090c7b07-b4ed-4561-ad20-e9075f3ccaff

Create and assign a built-in user-assigned managed identity

Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (1.3.1 > 1.4.0)

2024-01-12 18:35:06

BuiltIn

Security Center

Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)

Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-01-12 18:35:06

BuiltIn

Security Center

f3a7bbfd-a810-47a6-b5ba-8e17d8cffb96

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.1 > 1.4.0)

2024-01-12 18:35:06

BuiltIn

VirtualEnclaves

Network interfaces should be connected to an approved subnet of the approved virtual network

This policy blocks network interfaces from connecting to a virtual network or subnet that is not approved. https://aka.ms/VirtualEnclaves

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2024-01-12 18:35:06

BuiltIn

Security Center

bdc59948-5574-49b3-bb91-76b7c986428d

[Deprecated]: Azure Defender for DNS should be enabled

This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 4da35fc9-c9e7-4960-aec9-797fe7d9051d. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2024-01-12 18:35:06

BuiltIn

Security Center

17f4b1cc-c55c-4d94-b1f9-2978f6ac2957

Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)

Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2024-01-12 18:35:06

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.1 > 1.4.0)

2024-01-12 18:35:06

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL

Configure Windows Arc-enabled SQL Servers to automatically install the Microsoft Defender for SQL agent. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.2 > 1.2.0)

2024-01-12 18:35:06

BuiltIn

Key Vault

Certificates should be issued by the specified non-integrated certificate authority

Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (2.1.0 > 2.1.1)

2024-01-12 18:35:06

BuiltIn

Network

Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-01-12 18:35:06

BuiltIn

Security Center

cd6f7aff-2845-4dab-99f2-6d1754a754b0

Configure the Microsoft Defender for SQL Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.2 > 1.2.0)

2024-01-12 18:35:06

BuiltIn

Network

Deploy a Flow Log resource with target virtual network

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2024-01-12 18:35:06

BuiltIn

Guest Configuration

ec2c1bce-5ad3-4b07-bb4f-e041410cd8db

[Preview]: Nexus Compute Machines should meet Security Baseline

Utilizes the Azure Policy Guest Configuration agent for auditing. This policy ensures that machines adhere to the Nexus compute security baseline, encompassing various recommendations designed to fortify machines against a range of vulnerabilities and unsafe configurations (Linux only).

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2024-01-05 19:11:18

BuiltIn

Backup

8f09fda1-91a2-4e14-96a2-67c6281158f7

[Preview]: Do not allow creation of Recovery Services vaults of chosen storage redundancy.

Recovery Services vaults can be created with any one of three storage redundancy options today, namely, Locally-redundant Storage, Zone-redundant storage and Geo-redundant storage. If the policies in your organization requires you to block the creation of vaults that belong to a certain redundancy type, you may achieve the same using this Azure policy.

Default
Deny
Allowed
Deny, Disabled

add

new Policy

2023-12-19 19:28:10

BuiltIn

Security Center

2a6ae02f-7590-40d7-88ba-b18e205a32fd

Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-12-14 19:23:04

BuiltIn

ElasticSan

7698f4ed-80ce-4e13-b408-ee135fa400a5

ElasticSan Volume Group should use customer-managed keys to encrypt data at rest

Use customer-managed keys to manage the encryption at rest of your VolumeGroup. By default, customer data is encrypted with platform-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-12-14 19:23:04

BuiltIn

Kubernetes

5b0bd968-5cb5-4513-8987-27786c6f0df8

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (9.1.0 > 9.1.1)

2023-12-14 19:23:04

BuiltIn

App Service

App Service app slots should have Client Certificates (Incoming client certificates) enabled

Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy applies to apps with Http version set to 1.1.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Resilience

bdd8bbb2-1efd-48dc-a0fd-8ddcba2e96cd

[Preview]: Azure Managed Grafana should be Zone Redundant

Azure Managed Grafana can be configured to be Zone Redundant or not. An Azure Managed Grafana instance is Zone Redundant is it's 'zoneRedundancy' property is set to 'Enabled'. Enforcing this policy helps ensure that your Azure Managed Grafana is appropriately configured for zone resilience, reducing the risk of downtime during zone outages.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Resilience

da8a2248-6b4a-44a7-96bf-bf1c0dd208c3

[Preview]: Virtual network gateways should be Zone Redundant

Virtual network gateways can be configured to be Zone Redundant or not. Virtual network gateways whose SKU name or tier does not end with 'AZ' are not Zone Redundant. This policy identifies Virtual network gateways lacking the redundancy needed to withstand a zone outage.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

App Service

36fd7371-8eb7-4321-9c30-a7100022d048

[Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled

Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates.

Default
Disabled
Allowed
Audit, Disabled

change

Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated)

2023-12-08 20:47:07

BuiltIn

BuiltInPolicyTest

Requires resources to not have a specific tag. This is a versioning test built-in.

Denies the creation of a resource that contains the given tag. Does not apply to resource groups.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.1 > 2.0.0)

2023-12-08 20:47:07

BuiltIn

Guest Configuration

14b4e776-9fab-44b0-b53f-38d2458ea8be

[Preview]: Extended Security Updates should be installed on Windows Server 2012 Arc machines.

Windows Server 2012 Arc machines should have installed all the Extended Security Updates released by Microsoft. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Resilience

2dba5c7e-12a4-4be8-b208-f59bc49e88c2

[Preview]: Public IP Prefixes should be Zone Resilient

Public IP Prefixes can be configured to be either Zone Aligned, Zone Redundant, or neither. Public IP prefixes that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Public IP prefixes with 3 or more entries in their zones array are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Resilience

682e4ab9-59fe-4871-9839-265b54c568c4

[Preview]: Public IP addresses should be Zone Resilient

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

SQL

344ea7ca-2ba8-4d68-859b-317239714b2c

Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2023-12-08 20:47:07

BuiltIn

Resilience

[Preview]: Managed Disks should be Zone Resilient

Managed Disks can be configured to be either Zone Aligned, Zone Redundant, or neither. Managed Disks with exactly one zone assignment are Zone Aligned. Managed Disks with a sku name that ends in ZRS are Zone Redundant. This policy assists in identifying and enforcing these resilience configurations for Managed Disks.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

App Service

cf9ca02d-383e-4506-a421-258cc1a5300d

[Deprecated]: Function app slots should have 'Client Certificates (Incoming client certificates)' enabled

Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. This policy has been replaced by a new policy with the same name because Http 2.0 doesn't support client certificates.

Default
Disabled
Allowed
Audit, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2023-12-08 20:47:07

BuiltIn

Network

ebea0d86-7fbd-42e3-8a46-27e7568c2525

Bot Protection should be enabled for Azure Application Gateway WAF

This policy ensures that bot protection is enabled in all Azure Application Gateway Web Application Firewall (WAF) policies

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

SQL

19dd1db6-f442-49cf-a838-b0786b4401ef

Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2023-12-08 20:47:07

BuiltIn

App Service

App Service apps should have Client Certificates (Incoming client certificates) enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Resilience

ae243d87-5cf3-4dce-90bd-6d62be328de9

[Preview]: Event Hubs should be Zone Redundant

Event Hubs can be configured to be Zone Redundant or not. Event Hubs are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Resilience

f16a3ca9-b57a-4392-b660-4c1f8442aa8d

[Preview]: SQL Elastic database pools should be Zone Redundant

SQL Elastic database pools can be configured to be Zone Redundant or not. SQL Elastic database pools are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Resilience

075896de-f4f8-465b-b6d8-9e73725bb62d

[Preview]: Service Fabric Clusters should be Zone Redundant

Service Fabric Clusters can be configured to be Zone Redundant or not. Servicefabric Clusters whose nodeType do not have the multipleAvailabilityZones set to true are not Zone Redundant. This policy identifies Servicefabric Clusters lacking the redundancy needed to withstand a zone outage.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

App Service

22888755-d824-4e43-8e0b-42d481836554

[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

change

Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated)

2023-12-08 20:47:07

BuiltIn

165a4137-c3ed-4fd0-a17f-1c8a80266580

n/a

remove

165a4137-c3ed-4fd0-a17f-1c8a80266580

2023-12-08 20:47:07 (i)

BuiltIn

Resilience

[Preview]: App Service Plans should be Zone Redundant

App Service Plans can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for an App Service Plan, it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for App Service Plans.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

SQL

2f7c08c2-f671-4282-9fdb-597b6ef2c10d

Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2023-12-08 20:47:07

BuiltIn

App Service

[Deprecated]: App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

change

Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated)

2023-12-08 20:47:07

BuiltIn

Machine Learning

19539b54-c61e-4196-9a38-67598701be90

[Preview]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry

Only deploy Registry Models in the allowed Registry and that are not restricted.

Fixed
[parameters('effect')]

add

new Policy

2023-12-08 20:47:07

BuiltIn

API Management

1dc2fc00-2245-4143-99f4-874c937f13ef

Azure API Management platform version should be stv2

Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Network

27f7fb01-5fdb-44ad-954c-d582f8659533

Bot Protection should be enabled for Azure Front Door WAF

This policy ensures that bot protection is enabled in all Azure Front Door Web Application Firewall (WAF) policies

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Resilience

0fc92280-604b-4f23-9e04-5ef98d1a28df

[Preview]: SQL Managed Instances should be Zone Redundant

SQL Managed Instances can be configured to be Zone Redundant or not. Instances with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL managedInstances that need zone redundancy configuration to enhance availability and resilience within Azure.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Network

ff1f1879-a60d-4f23-9641-41e7391ec19a

Azure Application Gateway should be deployed with Azure WAF

Requires Azure Application Gateway resources to be deployed with Azure WAF.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

App Service

153ab4ca-2d58-4b5d-9134-6d8c6bdd321c

Function app slots should have Client Certificates (Incoming client certificates) enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

App Service

ab6a902f-9493-453b-928d-62c30b11b5a6

Function apps should have Client Certificates (Incoming client certificates) enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Resilience

2dec5f47-bc40-40d1-8c7d-a39d9d6808d1

[Preview]: Azure Kubernetes Service Managed Clusters should be Zone Redundant

Azure Kubernetes Service Managed Clusters can be configured to be Zone Redundant or not. The policy checks the node pools in the cluster and ensures that avaialbilty zones are set for all the node pools.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Resilience

6221cac0-bb8d-40f4-9535-5d03f713f054

[Preview]: SQL Databases should be Zone Redundant

SQL Databases can be configured to be Zone Redundant or not. Databases with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL databases that need zone redundancy configuration to enhance availability and resilience within Azure.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-12-08 20:47:07

BuiltIn

Kubernetes

[Preview]: Cannot Edit Individual Nodes

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2023-12-04 18:38:36

BuiltIn

Security Center

[Deprecated]: Microsoft Defender for Storage (Classic) should be enabled

Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, new suffix: deprecated (1.0.4 > 1.1.0-deprecated)

2023-12-04 18:38:36

BuiltIn

Security Center

cfb11c26-f069-4c14-8e36-56c394dae5af

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.3.0-preview > 1.3.1)

2023-11-17 19:29:28

BuiltIn

Service Bus

Azure Service Bus namespaces should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Azure Service Bus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-11-17 19:29:28

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.3.0-preview > 1.3.1)

2023-11-17 19:29:28

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.2.1-preview > 1.2.2)

2023-11-17 19:29:28

BuiltIn

Security Center

Create and assign a built-in user-assigned managed identity

Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.3.0-preview > 1.3.1)

2023-11-17 19:29:28

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.2.1-preview > 1.2.2)

2023-11-17 19:29:28

BuiltIn

Security Center

57f35901-8389-40bb-ac49-3ba4f86d889d

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.1.1-preview > 1.1.2)

2023-11-17 19:29:28

BuiltIn

Event Hub

Configure Azure Event Hub namespaces to disable local authentication

Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh.

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-11-17 19:29:28

BuiltIn

Security Center

4c660f31-eafb-408d-a2b3-6ed2260bd26c

Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.1.0-preview > 1.1.1)

2023-11-17 19:29:28

BuiltIn

Azure Arc

[Preview]: Deny Extended Security Updates (ESUs) license creation or modification.

This policy enables you to restrict the creation or modification of ESU licenses for Windows Server 2012 Arc machines. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing

Default
Deny
Allowed
Deny, Disabled

add

new Policy

2023-11-17 19:29:28

BuiltIn

Event Grid

cd8f7644-6fe8-4516-bded-0e465ead03ac

Azure Event Grid namespace MQTT broker should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-11-17 19:29:28

BuiltIn

Security Center

67dcad1a-ec60-45df-8fd0-14c9d29eeaa2

Configure SQL Virtual Machines to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.2.1-preview > 1.2.2)

2023-11-17 19:29:28

BuiltIn

Event Grid

Azure Event Grid namespaces should disable public network access

Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/aeg-ns-privateendpoints.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-11-17 19:29:28

BuiltIn

Security Center

40e85574-ef33-47e8-a854-7a65c7500560

Configure the Microsoft Defender for SQL Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.1.1-preview > 1.1.2)

2023-11-17 19:29:28

BuiltIn

SQL

Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled

Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-11-17 19:29:28

BuiltIn

Event Grid

1301a000-bc6b-4d90-8414-7091e3abdc40

Azure Event Grid namespace topic broker should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid namespace instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-11-17 19:29:28

BuiltIn

Guest Configuration

ec2c1bce-5ad3-4b07-bb4f-e041410cd8db

[Preview]: Nexus Compute Machines should meet Security Baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-11-17 19:29:28

BuiltIn

Service Bus

910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e

Configure Azure Service Bus namespaces to disable local authentication

Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb.

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-11-17 19:29:28

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.3.0-preview > 1.3.1)

2023-11-17 19:29:28

BuiltIn

Security Center

b4dec045-250a-48c2-b5cc-e0c4eec8b5b4

Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.0.1-preview > 1.0.2)

2023-11-17 19:29:28

BuiltIn

SQL

A Microsoft Entra administrator should be provisioned for PostgreSQL servers

Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-11-17 19:29:28

BuiltIn

SQL

146412e9-005c-472b-9e48-c87b72ac229e

A Microsoft Entra administrator should be provisioned for MySQL servers

Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.1.0 > 1.1.1)

2023-11-17 19:29:28

BuiltIn

Event Grid

cddcbb7e-a7b1-4380-b4d8-45cf77b0d561

Configure Azure Event Grid namespace MQTT broker with private endpoints

Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/aeg-ns-privateendpoints.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-11-17 19:29:28

BuiltIn

Event Hub

5d4e3c65-4873-47be-94f3-6f8b953a3598

Azure Event Hub namespaces should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-11-17 19:29:28

BuiltIn

Event Grid

2b21ce34-9c45-4037-9c84-0ac0dbd0095f

Configure Azure Event Grid namespaces with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-11-17 19:29:28

BuiltIn

Azure Arc

4864134f-d306-4ff5-94d8-ea4553b18c97

[Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended.

Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected even after their support lifecycle has ended. Learn How to prepare to deliver Extended Security Updates for Windows Server 2012 through AzureArc please visit https://learn.microsoft.com/en-us/azure/azure-arc/servers/prepare-extended-security-updates. For more details on pricing please visit https://aka.ms/ArcWS2012ESUPricing

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Guest Configuration Resource Contributor
•Hybrid Server Resource Administrator

add

new Policy

2023-11-17 19:29:28

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.2.0-preview > 1.2.1)

2023-11-17 19:29:28

BuiltIn

Security Center

ca8d5704-aa2b-40cf-b110-dc19052825ad

[Deprecated]: Configure Microsoft Defender for APIs should be enabled

This policy is deprecated because it does not complete all of the required steps to enable Defender for APIs, additional steps are required to complete onboarding available through the Defender for Cloud platform. Instead of continuing to use this policy, we recommend you enable Defender for APIs by following the steps outlined in the guide at https://learn.microsoft.com/azure/defender-for-cloud/defender-for-apis-deploy. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.2-deprecated > 1.0.3-deprecated)

2023-11-14 18:14:48

BuiltIn

Kubernetes

Kubernetes clusters should minimize wildcard use in role and cluster role

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-11-14 18:14:48

BuiltIn

SQL Server

f692cc79-76fb-4c61-8861-467e454ac6f8

Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates.

Subscribe eligible Arc-enabled SQL Servers instances with License Type set to Paid or PAYG to Extended Security Updates. More on extended security updates https://go.microsoft.com/fwlink/?linkid=2239401.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-11-14 18:14:48

BuiltIn

General

e624c84f-2923-4437-9fd9-4115c6da3888

Configure subscriptions to set up preview features

This policy evaluates existing subscription's preview features. Subscriptions can be remediated to register to a new preview feature. New subscriptions will not be automatically registered.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2023-11-14 18:14:48

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated)

2023-11-08 19:40:08

BuiltIn

Security Center

[Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated)

2023-11-08 19:40:08

BuiltIn

Security Center

[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (5.2.0-deprecated > 5.2.1-deprecated)

2023-11-08 19:40:08

BuiltIn

Kubernetes

[Preview]: Deploy Image Integrity on Azure Kubernetes Service

Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview)

2023-11-08 19:40:08

BuiltIn

Security Center

[Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (2.0.0-deprecated > 2.0.1-deprecated)

2023-11-08 19:40:08

BuiltIn

Security Center

[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated)

2023-11-08 19:40:08

BuiltIn

Kubernetes

Deploy Image Cleaner on Azure Kubernetes Service

Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (1.0.3 > 1.0.4)

2023-11-08 19:40:08

BuiltIn

Security Center

[Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated)

2023-11-08 19:40:08

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (3.0.0-deprecated > 3.0.1-deprecated)

2023-11-08 19:40:08

BuiltIn

Security Center

408934a8-941a-4c1e-ba88-dd035d9688f4

[Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.2.0-deprecated > 1.2.1-deprecated)

2023-11-08 19:40:08

BuiltIn

Resilience

[Preview]: Azure Cache for Redis Enterprise & Flash should be Zone Redundant

Azure Cache for Redis Enterprise & Flash can be configured to be Zone Redundant or not. Azure Cache for Redis Enterprise & Flash instances with fewer than 3 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis Enterprise & Flash instances lacking the redundancy needed to withstand a zone outage.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-11-06 19:40:47

BuiltIn

Resilience

d3ee5dcf-0c6d-49ab-aee4-f250583a7bdc

[Preview]: Service Bus should be Zone Redundant

Service Bus can be configured to be Zone Redundant or not. When the 'zoneRedundant' property is set to 'false' for a Service Bus, it means it is not configured for Zone Redundancy. This policy identifies and enforces the Zone Redundancy configuration for Service Bus instances.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-11-06 19:40:47

BuiltIn

SQL

42daa904-5969-47ef-92cb-b75df946195a

Public network access should be disabled for MySQL flexible servers

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-11-06 19:40:47

BuiltIn

Resilience

[Preview]: API Management Service should be Zone Redundant

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-11-06 19:40:47

BuiltIn

Kubernetes

5c345cdf-2049-47e0-b8fe-b0e96bc2df35

Azure Kubernetes Service Clusters should enable cluster auto-upgrade

AKS cluster auto-upgrade can ensure your clusters are up to date and don't miss the latest features or patches from AKS and upstream Kubernetes. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-cluster.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-11-06 19:40:47

BuiltIn

Security Center

8ac833bd-f505-48d5-887e-c993a1d3eea0

Microsoft Defender for APIs should be enabled

Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, old suffix: preview (1.0.2-preview > 1.0.3)

2023-11-06 19:40:47

BuiltIn

Security Center

API endpoints in Azure API Management should be authenticated

API endpoints published within Azure API Management should enforce authentication to help minimize security risk. Authentication mechanisms are sometimes implemented incorrectly or are missing. This allows attackers to exploit implementation flaws and to access data. Learn More about the OWASP API Threat for Broken User Authentication here: https://learn.microsoft.com/azure/api-management/mitigate-owasp-api-threats#broken-user-authentication

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2023-11-06 19:40:47

BuiltIn

Resilience

1bf67da8-b100-45bf-b89d-e4669fc54411

[Preview]: Azure Cache for Redis should be Zone Redundant

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-11-06 19:40:47

BuiltIn

Resilience

85b005b2-95fc-4953-b9cb-f9ee6427c754

[Preview]: Storage Accounts should be Zone Redundant

Storage Accounts can be configured to be Zone Redundant or not. If a Storage Account's SKU name does not end with 'ZRS' or its kind is 'Storage,' it is not Zone Redundant. This policy ensures that your Storage Accounts use ae Zone Redundant configuration.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-11-06 19:40:47

BuiltIn

Resilience

9d2b0a20-57d6-474c-9d12-44a4a20999c6

[Preview]: Container Registry should be Zone Redundant

Container Registry can be configured to be Zone Redundant or not. When the zoneRedundancy property for a Container Registry is set to 'Disabled', it means the registry is not Zone Redundant. Enforcing this policy helps ensure that your Container Registry is appropriately configured for zone resilience, reducing the risk of downtime during zone outages.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-11-06 19:40:47

BuiltIn

Resilience

cbe58ab0-07a8-43ea-9ccc-8ea33e4d6aa5

[Preview]: Azure Data Explorer Clusters should be Zone Redundant

Azure Data Explorer Clusters can be configured to be Zone Redundant or not. An Azure Data Explorer Cluster is considered Zone Redundant if it has at least two entries in its zones array. This policy helps ensure the your Azure Data Explorer Clusters are Zone Redundant.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-11-06 19:40:47

BuiltIn

Kubernetes

a3dc4946-dba6-43e6-950d-f96532848c9f

Kubernetes clusters should ensure that the cluster-admin role is only used where required

The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-11-06 19:40:47

BuiltIn

Security Center

c8acafaf-3d23-44d1-9624-978ef0f8652c

API endpoints that are unused should be disabled and removed from the Azure API Management service

As a security best practice, API endpoints that haven't received traffic for 30 days are considered unused and should be removed from the Azure API Management service. Keeping unused API endpoints may pose a security risk to your organization. These may be APIs that should have been deprecated from the Azure API Management service but may have been accidentally left active. Such APIs typically do not receive the most up to date security coverage.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2023-11-06 19:40:47

BuiltIn

SQL Server

7148a409-0d59-4baa-925b-b3aae486a14e

[Preview]: Enable system-assigned identity to SQL VM

Enable system-assigned identity at scale to SQL virtual machines. You need to assign this policy at subscription level. Assign at resource group level will not work as expected.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-10-31 19:02:40

BuiltIn

Security Center

[Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated)

2023-10-31 19:02:40

BuiltIn

Security Center

[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated)

2023-10-31 19:02:40

BuiltIn

Machine Learning

[Preview]: Configure allowed registries for specified Azure Machine Learning computes

Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview)

2023-10-31 19:02:40

BuiltIn

Machine Learning

[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes

Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview)

2023-10-31 19:02:40

BuiltIn

Machine Learning

40f1aee2-4db4-4b74-acb1-c6972e24cca8

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview)

2023-10-31 19:02:40

BuiltIn

Kubernetes

Configure Node OS Auto upgrade on Azure Kubernetes Cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (1.0.0 > 1.0.1)

2023-10-31 19:02:40

BuiltIn

Security Center

Configure the Microsoft Defender for SQL Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview)

2023-10-31 19:02:40

BuiltIn

Security Center

42f4f3a2-7d20-4c13-a05d-01857a626c22

[Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated)

2023-10-31 19:02:40

BuiltIn

Resilience

[Preview]: Virtual Machines should be Zone Aligned

Virtual Machines can be configured to be Zone Aligned or not. They are considered Zone Aligned if they have only one entry in their zones array. This policy ensures that they are configured to operate within a single availability zone.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-10-31 19:02:40

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview)

2023-10-31 19:02:40

BuiltIn

Security Center

Create and assign a built-in user-assigned managed identity

Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2023-10-31 19:02:40

BuiltIn

Kubernetes

78215662-041e-49ed-a9dd-5385911b3a1f

[Preview]: Deploy Image Integrity on Azure Kubernetes Service

Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview)

2023-10-31 19:02:40

BuiltIn

SQL

Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-10-31 19:02:40

BuiltIn

Security Center

d3903bdf-ab85-4cce-85d3-2934d77629d4

Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview)

2023-10-31 19:02:40

BuiltIn

Resilience

[Preview]: Virtual Machine Scale Sets should be Zone Resilient

Virtual Machine Scale Sets can be configured to be either Zone Aligned, Zone Redundant, or neither. Virtual Machine Scale Sets that have exactly one entry in their zones array are considered Zone Aligned. In contrast, Virtual Machine Scale Sets with 3 or more entries in their zones array and a capacity of at least 3 are recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-10-31 19:02:40

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster services should use unique selectors

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-10-31 19:02:40

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-10-31 19:02:40

BuiltIn

Security Center

2158ddbe-fefa-408e-b43f-d4faef8ff3b8

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview)

2023-10-31 19:02:40

BuiltIn

Synapse

Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-10-31 19:02:40

BuiltIn

Machine Learning

[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes

Provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview)

2023-10-31 19:02:40

BuiltIn

Security Center

c3624673-d2ff-48e0-b28c-5de1c6767c3c

[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (5.2.0-preview > 5.2.0-deprecated)

2023-10-31 19:02:40

BuiltIn

Synapse

Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-10-31 19:02:40

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated)

2023-10-31 19:02:40

BuiltIn

Machine Learning

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.3.0-preview > 6.4.0-preview)

2023-10-31 19:02:40

BuiltIn

Security Center

[Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.0.0-preview > 2.0.0-deprecated)

2023-10-31 19:02:40

BuiltIn

Kubernetes

abda6d70-9778-44e7-84a8-06713e6db027

Disable Command Invoke on Azure Kubernetes Service clusters

Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (1.0.2 > 1.0.3)

2023-10-31 19:02:40

BuiltIn

SQL

Azure SQL Database should have Microsoft Entra-only authentication enabled during creation

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-10-31 19:02:40

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview)

2023-10-31 19:02:40

BuiltIn

Machine Learning

44c5a1f9-7ef6-4c38-880c-273e8f7a3c24

[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes

Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.3.0-preview > 5.4.0-preview)

2023-10-31 19:02:40

BuiltIn

Resilience

[Preview]: Cosmos Database Accounts should be Zone Redundant

Cosmos Database Accounts can be configured to be Zone Redundant or not. If the 'enableMultipleWriteLocations' is set to 'true' then all locations must have a 'isZoneRedundant' property and it must be set to 'true'. If the 'enableMultipleWriteLocations' is set to 'false' then the primary location ('failoverPriority' set to 0) must have a 'isZoneRedundant' property and it must be set to 'true'. Enforcing this policy ensures Cosmos Database Accounts are appropriately configured for zone redundancy.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-10-31 19:02:40

BuiltIn

Kubernetes

Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access

Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (2.0.3 > 2.0.4)

2023-10-31 19:02:40

BuiltIn

Kubernetes

[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present

Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-10-31 19:02:40

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2023-10-31 19:02:40

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2023-10-31 19:02:40

BuiltIn

Security Center

[Deprecated]: Configure Microsoft Defender for APIs should be enabled

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.0.2-preview > 1.0.2-deprecated)

2023-10-31 19:02:40

BuiltIn

Kubernetes

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (4.0.0 > 4.0.1)

2023-10-31 19:02:40

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated)

2023-10-31 19:02:40

BuiltIn

Kubernetes

Deploy Image Cleaner on Azure Kubernetes Service

Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (1.0.2 > 1.0.3)

2023-10-31 19:02:40

BuiltIn

Security Center

[Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (1.2.0-preview > 1.2.0-deprecated)

2023-10-31 19:02:40

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2023-10-31 19:02:40

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2023-10-31 19:02:40

BuiltIn

Kubernetes

Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access

Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (2.0.1 > 2.0.3)

2023-10-23 17:41:36

BuiltIn

Kubernetes

Disable Command Invoke on Azure Kubernetes Service clusters

Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (1.0.1 > 1.0.2)

2023-10-23 17:41:36

BuiltIn

Data Factory

78460a36-508a-49a4-b2b2-2f5ec564f4bb

SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.1.0 > 2.2.0)

2023-10-23 17:41:36

BuiltIn

General

Do not allow deletion of resource types

This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect.

Default
DenyAction
Allowed
DenyAction, Disabled

add

new Policy

2023-10-23 17:41:36

BuiltIn

Kubernetes

450d2877-ebea-41e8-b00c-e286317d21bf

Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration

AKS-managed Microsoft Entra ID integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-10-23 17:41:36

BuiltIn

Kubernetes

[Preview]: Deploy Image Integrity on Azure Kubernetes Service

Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch, suffix remains equal (1.0.1-preview > 1.0.3-preview)

2023-10-23 17:41:36

BuiltIn

Kubernetes

Deploy Image Cleaner on Azure Kubernetes Service

Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (1.0.0 > 1.0.2)

2023-10-23 17:41:36

BuiltIn

Guest Configuration

Windows machines should be configured to use secure communication protocols

To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (4.1.0 > 4.1.1)

2023-10-16 18:01:34

BuiltIn

Kubernetes

828ba269-bf7f-4082-83dd-633417bc391d

[Preview]: Deploy Image Integrity on Azure Kubernetes Service

Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-10-16 18:01:34

BuiltIn

Guest Configuration

Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines

Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-10-16 18:01:34

BuiltIn

Internet of Things

43c323f6-0329-4f7c-a19a-6e5a5690d042

Azure Device Update accounts should use customer-managed key to encrypt data at rest

Encryption of data at rest in Azure Device Update with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Learn more at:https://learn.microsoft.com/azure/iot-hub-device-update/device-update-data-encryption.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-10-16 18:01:34

BuiltIn

Machine Learning

Audit-PrivateLinkDnsZones

Configure Azure Machine Learning Workspaces to disable public network access

Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal.

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-10-09 18:04:57

BuiltIn

Network

Audit or Deny the creation of Private Link Private DNS Zones

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-10-05 18:01:59

ALZ

Monitoring

Deploy-Diagnostics-CosmosDB

[Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-09-27 17:59:47

ALZ

Storage

Deploy-Storage-sslEnforcement

Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-09-27 17:59:47

ALZ

App Configuration

72bc14af-4ab8-43af-b4e4-38e7983f9a1f

Configure App Configuration stores to disable local authentication methods

Disable local authentication methods so that your App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954.

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-09-27 17:59:47

BuiltIn

SQL

Deploy-SQL-minTLS

SQL servers deploys a specific min TLS version requirement.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-09-27 17:59:47

ALZ

SQL

Deploy-MySQL-sslEnforcement

Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-09-27 17:59:47

ALZ

Container Registry

84497762-32b6-4ab3-80b6-732ea48b85a2

Container registries should prevent cache rule creation

Disable cache rule creation for your Azure Container Registry to prevent pull through cache pulls. Learn more at: https://aka.ms/acr/cache.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-09-27 17:59:47

BuiltIn

SQL

Deploy-SqlMi-minTLS

SQL managed instances deploy a specific min TLS version requirement.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.2.0)

2023-09-27 17:59:47

ALZ

Monitoring

DenyAction-DiagnosticLogs

DenyAction implementation on Diagnostic Logs.

Fixed
denyAction

add

new Policy

2023-09-27 17:59:47

ALZ

SQL

Deploy-PostgreSQL-sslEnforcement

Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-09-27 17:59:47

ALZ

App Configuration

b08ab3ca-1062-4db3-8803-eec9cae605d6

App Configuration stores should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that App Configuration stores require Microsoft Entra identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-09-27 17:59:47

BuiltIn

Monitoring

DenyAction-ActivityLogs

DenyAction implementation on Activity Logs

This is a DenyAction implementation policy on Activity Logs.

Fixed
denyAction

add

new Policy

2023-09-27 17:59:47

ALZ

Machine Learning

Configure Azure Machine Learning Workspaces to disable public network access

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-09-22 17:59:46

BuiltIn

App Service

04408ca5-aa10-42ce-8536-98955cdddd4c

Configure App Service apps to disable local authentication for SCM sites

Disabling local authentication methods for SCM sites improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-09-22 17:59:46

BuiltIn

Kubernetes

Azure Kubernetes Service Clusters should enable node os auto-upgrade

AKS node OS auto-upgrade controls node-level OS security updates. Learn more at: https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-09-22 17:59:46

BuiltIn

App Service

App Service apps should have local authentication methods disabled for SCM site deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-09-22 17:59:46

BuiltIn

App Service

Configure App Service apps to disable local authentication for FTP deployments

Disabling local authentication methods for FTP deployments improves security by ensuring that App Services exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-09-22 17:59:46

BuiltIn

App Service

40f1aee2-4db4-4b74-acb1-c6972e24cca8

Configure App Service app slots to disable local authentication for FTP deployments

Disabling local authentication methods for FTP deployments improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-09-22 17:59:46

BuiltIn

Kubernetes

Configure Node OS Auto upgrade on Azure Kubernetes Cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

add

new Policy

2023-09-22 17:59:46

BuiltIn

App Service

App Service app slots should have local authentication methods disabled for FTP deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-09-22 17:59:46

BuiltIn

App Service

App Service app slots should have local authentication methods disabled for SCM site deployments

Disabling local authentication methods for SCM sites improves security by ensuring that App Service slots exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.3 > 1.0.4)

2023-09-22 17:59:46

BuiltIn

App Service

App Service apps should have local authentication methods disabled for FTP deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-09-22 17:59:46

BuiltIn

App Service

fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f

Configure App Service app slots to disable local authentication for SCM sites

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-09-22 17:59:46

BuiltIn

Managed Identity

[Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners

This policy limits federation with GitHub repos to only approved repository owners.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-09-22 17:59:46

BuiltIn

Kubernetes

Deploy Image Cleaner on Azure Kubernetes Service

Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-cleaner

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

add

new Policy

2023-09-18 18:02:04

BuiltIn

Azure Update Manager

Machines should be configured to periodically check for missing system updates

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (3.4.0-preview > 3.4.1)

2023-09-18 18:02:04

BuiltIn

Azure Update Manager

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (3.9.0-preview > 3.9.1)

2023-09-18 18:02:04

BuiltIn

Azure Update Manager

Configure periodic checking for missing system updates on azure Arc-enabled servers

Fixed
modify

change

Patch, old suffix: preview (2.2.0-preview > 2.2.1)

2023-09-18 18:02:04

BuiltIn

Azure Update Manager

af3c26b2-6fad-493e-9236-9c68928516ab

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Patch, old suffix: preview (4.4.0-preview > 4.4.1)

2023-09-18 18:02:04

BuiltIn

Kubernetes

Azure Kubernetes Service Clusters should enable Image Cleaner

Image Cleaner performs automatic vulnerable, unused image identification and removal, which mitigates the risk of stale images and reduces the time required to clean them up. Learn more at: https://aka.ms/aks/image-cleaner.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-09-18 18:02:04

BuiltIn

Media Services

daccf7e4-9808-470c-a848-1c5b582a1afb

[Deprecated]: Azure Media Services content key policies should use token authentication

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-09-18 18:02:04

BuiltIn

Monitoring

36fd7371-8eb7-4321-9c30-a7100022d048

Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.1.1-preview > 1.1.2)

2023-09-11 17:59:12

BuiltIn

BuiltInPolicyTest

Requires resources to not have a specific tag. This is a versioning test built-in.

Denies the creation of a resource that contains the given tag. Does not apply to resource groups.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-09-11 17:59:12

BuiltIn

Monitoring

Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.2.1-preview > 1.2.2)

2023-09-11 17:59:12

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.1.1-preview > 1.1.2)

2023-09-11 17:59:12

BuiltIn

Machine Learning

[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-09-11 17:59:12

BuiltIn

Machine Learning

[Preview]: Configure allowed registries for specified Azure Machine Learning computes

Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview)

2023-09-11 17:59:12

BuiltIn

Monitoring

Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.2.1-preview > 1.2.2)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-09-11 17:59:12

BuiltIn

Azure Update Manager

Machines should be configured to periodically check for missing system updates

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview)

2023-09-11 17:59:12

BuiltIn

Azure Update Manager

Configure periodic checking for missing system updates on azure Arc-enabled servers

Fixed
modify

change

Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview)

2023-09-11 17:59:12

BuiltIn

Machine Learning

[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes

Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2023-09-11 17:59:12

BuiltIn

Machine Learning

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2023-09-11 17:59:12

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (3.1.0-preview > 3.1.1)

2023-09-11 17:59:12

BuiltIn

Machine Learning

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.2.0-preview > 6.3.0-preview)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure the Microsoft Defender for SQL Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2023-09-11 17:59:12

BuiltIn

Azure Update Manager

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Minor, suffix remains equal (4.3.0-preview > 4.4.0-preview)

2023-09-11 17:59:12

BuiltIn

Security Center

Create and assign a built-in user-assigned managed identity

Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2023-09-11 17:59:12

BuiltIn

Azure Update Manager

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.8.0-preview > 3.9.0-preview)

2023-09-11 17:59:12

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2023-09-11 17:59:12

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (3.1.0-preview > 3.1.1)

2023-09-11 17:59:12

BuiltIn

Machine Learning

[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.2.0-preview > 5.3.0-preview)

2023-09-11 17:59:12

BuiltIn

Kubernetes

[Preview]: Deploy Image Integrity on Azure Kubernetes Service

Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit https://aka.ms/aks/image-integrity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

add

new Policy

2023-09-01 18:00:13

BuiltIn

Compute

Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-09-01 18:00:13

BuiltIn

Managed Identity

383856f8-de7f-44a2-81fc-e5135b5c2aa4

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview)

2023-09-01 18:00:13

BuiltIn

Internet of Things

Resource logs in IoT Hub should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.1 > 3.1.0)

2023-09-01 18:00:13

BuiltIn

Managed Identity

a2a5b911-5617-447e-a49e-59dbe0e0434b

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.5-preview > 1.0.6-preview)

2023-09-01 18:00:13

BuiltIn

Key Vault

Resource logs in Azure Key Vault Managed HSM should be enabled

To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-09-01 18:00:13

BuiltIn

Data Factory

Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported

Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-09-01 18:00:13

BuiltIn

Security Center

Configure Microsoft Defender for Storage to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.2 > 1.1.0)

2023-09-01 18:00:13

BuiltIn

ChangeTrackingAndInventory

Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)

2023-08-28 18:00:34

BuiltIn

Machine Learning

[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes

Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview)

2023-08-28 18:00:34

BuiltIn

Monitoring

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor (3.3.0 > 3.4.0)

2023-08-28 18:00:34

BuiltIn

Machine Learning

[Preview]: Configure allowed registries for specified Azure Machine Learning computes

Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview)

2023-08-28 18:00:34

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2023-08-28 18:00:34

BuiltIn

ChangeTrackingAndInventory

Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2023-08-28 18:00:34

BuiltIn

Monitoring

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2023-08-28 18:00:34

BuiltIn

Machine Learning

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview)

2023-08-28 18:00:34

BuiltIn

Cognitive Services

Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-08-28 18:00:34

BuiltIn

Machine Learning

[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview)

2023-08-28 18:00:34

BuiltIn

Machine Learning

[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.1.0-preview > 5.2.0-preview)

2023-08-28 18:00:34

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.3.0 > 3.4.0)

2023-08-28 18:00:34

BuiltIn

ChangeTrackingAndInventory

Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2023-08-28 18:00:34

BuiltIn

Machine Learning

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.1.0-preview > 6.2.0-preview)

2023-08-28 18:00:34

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent

Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled SQL Servers. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Automanage

Configure virtual machines to be onboarded to Azure Automanage

Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (2.3.0 > 2.4.0)

2023-08-22 17:59:24

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

cf426bb8-b320-4321-8545-1b784a5df3a4

Create and assign a built-in user-assigned managed identity

Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines.

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Kubernetes

[Image Integrity] Kubernetes clusters should only use images signed by notation

Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

feedbf84-6b99-488c-acc2-71c829aa5ffc

Configure the Microsoft Defender for SQL Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-08-22 17:59:24

BuiltIn

Security Center

SQL databases should have vulnerability findings resolved

Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (4.0.0 > 4.1.0)

2023-08-22 17:59:24

BuiltIn

Automanage

640d2586-54d2-465f-877f-9ffc1d2109f4

Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (1.3.0 > 1.4.0)

2023-08-22 17:59:24

BuiltIn

Security Center

Microsoft Defender for Storage should be enabled

Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-08-11 17:58:20

BuiltIn

Monitoring

689f7782-ef2c-4270-a6d0-7664869076bd

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group

Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMSSs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview)

2023-08-11 17:58:20

BuiltIn

Security Center

Configure Microsoft Defender CSPM to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-08-11 17:58:20

BuiltIn

Monitoring

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group

Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the Arc Machines in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview)

2023-08-11 17:58:20

BuiltIn

Machine Learning

Azure Machine Learning compute instances should be recreated to get the latest software updates

Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit https://aka.ms/azureml-ci-updates/.

Fixed
[parameters('effects')]

change

Patch (1.0.2 > 1.0.3)

2023-08-11 17:58:20

BuiltIn

Monitoring

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group

Deploy a Data Collection Rule for VMInsights and deploy Data Collection Rule Association for all the VMs in the Resource Group. The policy asks if enabling of Processes and Dependencies is required and accordingly creates the DCR. Please refer to this link for newer experience migration: https://aka.ms/vminsights-dcrOnboarding

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.1-preview > 1.1.2-preview)

2023-08-11 17:58:20

BuiltIn

Security Center

Role-Based Access Control (RBAC) should be used on Kubernetes Services

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-08-11 17:58:20

BuiltIn

Azure Update Manager

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Minor, suffix remains equal (4.0.0-preview > 4.3.0-preview)

2023-08-03 17:56:09

BuiltIn

Guest Configuration

242222f3-4985-4e99-b5ef-086d6a6cb01c

Linux machines should only have local accounts that are allowed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-08-03 17:56:09

BuiltIn

App Service

Configure Function app slots to disable public network access

Disable public network access for your Function apps so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint.

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-08-03 17:56:09

BuiltIn

Security Center

3ac7c827-eea2-4bde-acc7-9568cd320efa

Machines should have secret findings resolved

Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-08-03 17:56:09

BuiltIn

Kubernetes

2cc2e023-0dac-4046-875b-178f683929d5

Azure Kubernetes Service Clusters should enable workload identity

Workload identity allows to assign a unique identity to each Kubernetes Pod and associate it with Azure AD protected resources such as Azure Key Vault, enabling secure access to these resources from within the Pod. Learn more at: https://aka.ms/aks/wi.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-08-03 17:56:09

BuiltIn

Guest Configuration

Authentication to Linux machines should require SSH keys

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-08-03 17:56:09

BuiltIn

Azure Update Manager

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.4.0-preview > 3.8.0-preview)

2023-08-03 17:56:09

BuiltIn

Monitoring

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2023-08-03 17:56:09

BuiltIn

ChangeTrackingAndInventory

c8acafaf-3d23-44d1-9624-978ef0f8652c

Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-08-03 17:56:09

BuiltIn

Security Center

API endpoints that are unused should be disabled and removed from the Azure API Management service

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-08-03 17:56:09

BuiltIn

Monitoring

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2023-08-03 17:56:09

BuiltIn

Monitoring

cd794351-e536-40f4-9750-503a463d8cad

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2023-08-03 17:56:09

BuiltIn

App Service

Configure Function apps to disable public network access

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-08-03 17:56:09

BuiltIn

Guest Configuration

63594bb8-43bb-4bf0-bbf8-c67e5c28cb65

[Preview]: Linux machines should meet STIG compliance requirement for Azure compute

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-08-03 17:56:09

BuiltIn

Kubernetes

e1352e44-d34d-4e4d-a22e-451a15f759a1

Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-08-03 17:56:09

BuiltIn

App Service

2374605e-3e0b-492b-9046-229af202562c

Configure App Service apps to disable public network access

Disable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint.

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-08-03 17:56:09

BuiltIn

Guest Configuration

Audit Linux machines that don't have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (4.0.0 > 4.1.0)

2023-08-03 17:56:09

BuiltIn

ChangeTrackingAndInventory

Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-08-03 17:56:09

BuiltIn

Azure Update Manager

c6c3e00e-d414-4ca4-914f-406699bb8eee

Machines should be configured to periodically check for missing system updates

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (3.1.0-preview > 3.3.0-preview)

2023-08-03 17:56:09

BuiltIn

App Service

Configure App Service app slots to disable public network access

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-08-03 17:56:09

BuiltIn

Guest Configuration

Linux machines should meet requirements for the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-08-03 17:56:09

BuiltIn

ChangeTrackingAndInventory

335d919a-dc24-4a94-b7cb-9f81b1a8156f

Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.2.0-preview)

2023-08-03 17:56:09

BuiltIn

General

Do Not Allow MCPP resources

Block creation of MCPP resources.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-08-03 17:56:09

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2023-08-03 17:56:09

BuiltIn

Guest Configuration

176b7c36-ac64-4f15-a296-50bd7fafab12

Audit Linux machines that have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (4.0.0 > 4.1.0)

2023-08-03 17:56:09

BuiltIn

General

Do Not Allow M365 resources

Block creation of M365 resources.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-08-03 17:56:09

BuiltIn

General

16fabb5c-7379-4433-8009-042066fa3a16

Exclude Usage Costs Resources

This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-08-03 17:56:09

BuiltIn

Container Instance

41ebf9df-66cb-48e9-a8d0-98afb4e150ce

Configure diagnostic settings for container groups to Log Analytics workspace

Deploys the diagnostic settings for Container Instance to stream resource logs to a Log Analytics workspace when any container instance which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-08-03 17:56:09

BuiltIn

Guest Configuration

fad40cac-a972-4db0-b204-f1b15cced89a

Configure Linux Server to disable local users.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2023-08-03 17:56:09

BuiltIn

Guest Configuration

Local authentication methods should be disabled on Linux machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-08-03 17:56:09

BuiltIn

Guest Configuration

e79ffbda-ff85-465d-ab8e-7e58a557660f

[Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-08-03 17:56:09

BuiltIn

Guest Configuration

70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f

[Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-08-03 17:56:09

BuiltIn

Security Center

8ac833bd-f505-48d5-887e-c993a1d3eea0

API endpoints in Azure API Management should be authenticated

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-08-03 17:56:09

BuiltIn

Network

2d21331d-a4c2-4def-a9ad-ee4e1e023beb

App Service apps should use a virtual network service endpoint

Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aka.ms/appservice-vnet-service-endpoint.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2023-08-03 17:56:09

BuiltIn

Cost Optimization

Audit-AzureHybridBenefit

Audit AHUB for eligible VMs

Optimize cost by enabling Azure Hybrid Benefit. Leverage this Policy definition as a cost control to reveal Virtual Machines not using AHUB.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-07-25 17:56:05

ALZ

Azure Update Manager

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Minor, suffix remains equal (4.1.0-preview > 4.0.0-preview)

2023-07-25 17:56:05

BuiltIn

Azure Update Manager

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.6.0-preview > 3.4.0-preview)

2023-07-25 17:56:05

BuiltIn

Kubernetes

[Preview]: Must Have Anti Affinity Rules Set

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-07-24 17:56:14

BuiltIn

Azure Update Manager

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview)

2023-07-24 17:56:14

BuiltIn

Kubernetes

[Preview]: Cannot Edit Individual Nodes

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-07-24 17:56:14

BuiltIn

Azure Update Manager

766e621d-ba95-4e43-a6f2-e945db3d7888

Machines should be configured to periodically check for missing system updates

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview)

2023-07-24 17:56:14

BuiltIn

Security Center

Setup subscriptions to transition to an alternative vulnerability assessment solution

Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-07-24 17:56:14

BuiltIn

Kubernetes

d6f6f560-14b7-49a4-9fc8-d2c3a9807868

[Preview]: Reserved System Pool Taints

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-07-24 17:56:14

BuiltIn

Backup

[Preview]: Immutability must be enabled for Recovery Services vaults

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-07-24 17:56:14

BuiltIn

Kubernetes

[Preview]: No AKS Specific Labels

Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-07-24 17:56:14

BuiltIn

Azure Update Manager

480d0f91-30af-4a76-9afb-f5710ac52b09

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.5.0-preview > 3.6.0-preview)

2023-07-24 17:56:14

BuiltIn

Guest Configuration

Private endpoints for Guest Configuration assignments should be enabled

Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-07-24 17:56:14

BuiltIn

Compute

c3921d55-b741-4d16-8d56-7f16e99e6892

Protect your data with authentication requirements when exporting or uploading to a disk or snapshot.

When export/upload URL is used, the system checks if the user has an identity in Azure Active Directory and has necessary permissions to export/upload the data. Please refer to aka.ms/DisksAzureADAuth.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-07-14 17:56:09

BuiltIn

Monitoring

Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-07-14 17:56:09

BuiltIn

Monitoring

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.1.0 > 4.2.0)

2023-07-14 17:56:09

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.0 > 1.4.0)

2023-07-14 17:56:09

BuiltIn

Monitoring

Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-07-14 17:56:09

BuiltIn

Monitoring

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2023-07-14 17:56:09

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.3.0 > 1.4.0)

2023-07-14 17:56:09

BuiltIn

Monitoring

978deb5d-c9a7-41f8-b4b2-b76880d0de1f

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2023-07-14 17:56:09

BuiltIn

Storage

Modify - Configure your Storage account to enable blob versioning

You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted. Please note existing storage accounts will not be modified to enable Blob storage versioning. Only newly created storage accounts will have Blob storage versioning enabled

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-07-10 18:02:26

BuiltIn

SQL Managed Instance

bb3c7464-033e-41ee-81dc-480fde675b20

TLS protocol 1.2 must be used for Arc SQL managed instances.

As a part of network settings, Microsoft recommends allowing only TLS 1.2 for TLS protocols in SQL Servers. Learn more on network settings for SQL Server at https://aka.ms/TlsSettingsSQLServer.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-07-10 18:02:26

BuiltIn

Managed Identity

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview)

2023-07-10 18:02:26

BuiltIn

Azure Update Manager

6599ab01-29bc-4852-a6f5-de9e2151714a

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.4.0-preview > 3.5.0-preview)

2023-07-10 18:02:26

BuiltIn

SQL Managed Instance

Transparent Data Encryption must be enabled for Arc SQL managed instances.

Enable transparent data encryption (TDE) at-rest on an Azure Arc-enabled SQL Managed Instance. Learn more at https://aka.ms/EnableTDEArcSQLMI.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-07-10 18:02:26

BuiltIn

Storage

c36a325b-ae04-4863-ad4f-19c6678f8e08

Configure your Storage account to enable blob versioning

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-07-10 18:02:26

BuiltIn

SQL Managed Instance

413923f0-ff16-41ae-8583-90c5c5d9fa8f

Customer managed key encryption must be used as part of CMK Encryption for Arc SQL managed instances.

As a part of CMK encryption, Customer managed key encryption must be used. Learn more at https://aka.ms/EnableTDEArcSQLMI.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-07-10 18:02:26

BuiltIn

Managed Identity

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.4-preview > 1.0.5-preview)

2023-07-10 18:02:26

BuiltIn

Security Center

Deploy-Sql-vulnerabilityAssessments

Configure Microsoft Defender for Storage to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-07-10 18:02:26

BuiltIn

SQL

[Deprecated]: Deploy SQL Database vulnerability Assessments

Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 003
•Monitoring Contributor
•SQL Security Manager
•Storage Account Contributor

change

Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated)

Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ

2023-07-07 17:55:09

ALZ

Network

Deploy-Sql-vulnerabilityAssessments_20230706

Management port access from the Internet should be blocked

This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.

Default
Deny
Allowed
Audit, Deny, Disabled

change

Minor (2.0.0 > 2.1.0)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)

2023-07-07 17:55:09

ALZ

SQL

Deploy SQL Database Vulnerability Assessments

Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 003
•Monitoring Contributor
•SQL Security Manager
•Storage Account Contributor

add

new Policy

Replaces: [Deprecated]: Deploy SQL Database vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments)

2023-07-07 17:55:09

ALZ

Security Center

3ac7c827-eea2-4bde-acc7-9568cd320efa

Machines should have secret findings resolved

Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-07-03 17:55:16

BuiltIn

Backup

4d479a11-f2b5-4f0a-bb1e-d2332aa95cda

[Preview]: Disable Cross Subscription Restore for Backup Vaults

Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrstatechange.

Default
Modify
Allowed
Modify, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-07-03 17:55:16

BuiltIn

Backup

f19b0c83-716f-4b81-85e3-2dbf057c35d6

[Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults

Disable or PermanentlyDisable Cross Subscription Restore for your Recovery Services vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: https://aka.ms/csrenhancements.

Default
Modify
Allowed
Modify, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-07-03 17:55:16

BuiltIn

Kubernetes

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.1.0 > 5.1.1)

2023-06-26 17:52:13

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.1.0 > 7.1.1)

2023-06-26 17:52:13

BuiltIn

Automanage

af35e2a4-ef96-44e7-a9ae-853dd97032c4

[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (4.1.1-deprecated > 4.2.1-deprecated)

2023-06-26 17:52:13

BuiltIn

App Platform

Azure Spring Cloud should use network injection

Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Minor (1.1.0 > 1.2.0)

2023-06-26 17:52:13

BuiltIn

Monitoring

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (4.0.0 > 4.0.1)

2023-06-26 17:52:13

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.1.0 > 6.1.1)

2023-06-26 17:52:13

BuiltIn

Kubernetes

d8cf8476-a2ec-4916-896e-992351803c44

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.1.0 > 5.1.1)

2023-06-26 17:52:13

BuiltIn

Key Vault

Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation.

Manage your organizational compliance requirements by specifying the maximum number of days after key creation until it must be rotated.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-06-26 17:52:13

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.1.0 > 7.1.1)

2023-06-26 17:52:13

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (8.1.0 > 8.1.1)

2023-06-26 17:52:13

BuiltIn

Kubernetes

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.1.0 > 6.1.1)

2023-06-26 17:52:13

BuiltIn

Kubernetes

77d40665-3120-4348-b539-3192ec808307

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.1.0 > 6.1.1)

2023-06-26 17:52:13

BuiltIn

Data Factory

Azure Data Factory should use a Git repository for source control

Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-06-26 17:52:13

BuiltIn

Kubernetes

3ac7c827-eea2-4bde-acc7-9568cd320efa

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.1.0 > 7.1.1)

2023-06-26 17:52:13

BuiltIn

Security Center

Machines should have secret findings resolved

Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-06-26 17:52:13

BuiltIn

Data Factory

6809a3d0-d354-42fb-b955-783d207c62a8

Azure Data Factory linked service resource type should be in allow list

Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-06-26 17:52:13

BuiltIn

SQL

Deny-PublicEndpoint-MariaDB

[Deprecated] Public network access should be disabled for MariaDB

This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html

Default
Deny
Allowed
Audit, Deny, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Public network access should be disabled for MariaDB servers (fdccbe47-f3e3-4213-ad5d-ea459b2fa077) BuiltIn

2023-06-20 20:17:42

ALZ

Storage

Deny-Storage-SFTP

Storage Accounts with SFTP enabled should be denied

This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-06-20 20:17:42

ALZ

Network

Deny-Subnet-Without-Penp

Subnets without Private Endpoint Network Policies enabled should be denied

This policy denies the creation of a subnet without Private Endpoint Netwotk Policies enabled. This policy is intended for 'workload' subnets, not 'central infrastructure' (aka, 'hub') subnets.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-06-20 20:17:42

ALZ

Storage

Deny-FileServices-InsecureSmbVersions

File Services with insecure SMB versions should be denied

This policy denies the use of insecure versions of SMB (2.1 & 3.0) when using File Services on a storage account.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-06-20 20:17:42

ALZ

Storage

Deny-FileServices-InsecureKerberos

File Services with insecure Kerberos ticket encryption should be denied

This policy denies the use of insecure Kerberos ticket encryption (RC4-HMAC) when using File Services on a storage account.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-06-20 20:17:42

ALZ

Storage

Deny-StorageAccount-CustomDomain

Storage Accounts with custom domains assigned should be denied

This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-06-20 20:17:42

ALZ

Storage

Deny-FileServices-InsecureAuth

File Services with insecure authentication methods should be denied

This policy denies the use of insecure authentication methods (NTLMv2) when using File Services on a storage account.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-06-20 20:17:42

ALZ

Network

Deny-UDR-With-Specific-NextHop

User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied

This policy denies the creation of a User Defined Route with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway'.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-06-20 20:17:42

ALZ

Machine Learning

Deny-MachineLearning-PublicNetworkAccess

[Deprecated] Azure Machine Learning should have disabled public network access

Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html

Default
Deny
Allowed
Audit, Disabled, Deny

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Azure Machine Learning Workspaces should disable public network access (438c38d2-3772-465a-a9cc-7a6666a275ce) BuiltIn

2023-06-20 20:17:42

ALZ

Storage

Deny-FileServices-InsecureSmbChannel

File Services with insecure SMB channel encryption should be denied

This policy denies the use of insecure channel encryption (AES-128-CCM) when using File Services on a storage account.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2023-06-20 20:17:42

ALZ

Monitoring

Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview)

2023-06-16 17:46:02

BuiltIn

Azure Update Manager

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.3.0-preview > 3.4.0-preview)

2023-06-16 17:46:02

BuiltIn

Monitoring

Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.1-preview)

2023-06-16 17:46:02

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview)

2023-06-16 17:46:02

BuiltIn

Monitoring

34f95f76-5386-4de7-b824-0d8478470c9d

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview)

2023-06-16 17:46:02

BuiltIn

Logic Apps

Resource logs in Logic Apps should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (5.0.0 > 5.1.0)

2023-06-16 17:46:02

BuiltIn

App Service

App Service apps should have local authentication methods disabled for SCM site deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-06-09 17:46:13

BuiltIn

App Service

App Service app slots should have local authentication methods disabled for SCM site deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-06-09 17:46:13

BuiltIn

App Service

1b5ef780-c53c-4a64-87f3-bb9c8c8094ba

Configure App Service app slots to disable local authentication for SCM sites

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-06-09 17:46:13

BuiltIn

App Service

App Service apps should disable public network access

Disabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Minor (1.0.0 > 1.1.0)

2023-06-09 17:46:13

BuiltIn

App Service

App Service app slots should have local authentication methods disabled for FTP deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-06-09 17:46:13

BuiltIn

Security Center

Guest Configuration extension should be installed on your machines

To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2023-06-09 17:46:13

BuiltIn

Guest Configuration

[Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-deprecated > 1.1.0-deprecated)

2023-06-09 17:46:13

BuiltIn

App Service

Configure App Service apps to disable local authentication for FTP deployments

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-06-09 17:46:13

BuiltIn

Kubernetes

[Deprecated]: Kubernetes clusters should gate deployment of vulnerable images

This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (2.1.0-preview > 2.1.0-deprecated)

2023-06-09 17:46:13

BuiltIn

App Service

App Service apps should have local authentication methods disabled for FTP deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-06-09 17:46:13

BuiltIn

App Service

Configure App Service app slots to disable local authentication for FTP deployments

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-06-09 17:46:13

BuiltIn

App Service

Configure App Service apps to disable local authentication for SCM sites

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-06-09 17:46:13

BuiltIn

App Service

App Service apps should use a SKU that supports private link

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (4.0.1 > 4.1.0)

2023-06-09 17:46:13

BuiltIn

Security Center

13a6c84f-49a5-410a-b5df-5b880c3fe009

[Deprecated]: Azure Security agent should be installed on your Windows virtual machine scale sets

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2023-06-06 18:29:21

BuiltIn

Security Center

[Preview]: Linux virtual machines should use only signed and trusted boot components

All OS boot components (boot loader, kernel, kernel drivers) must be signed by trusted publishers. Defender for Cloud has identified untrusted OS boot components on one or more of your Linux machines. To protect your machines from potentially malicious components, add them to your allow list or remove the identified components.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-06-06 18:29:21

BuiltIn

Guest Configuration

[Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-06-06 18:29:21

BuiltIn

Security Center

f19b0c83-716f-4b81-85e3-2dbf057c35d6

[Deprecated]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2023-06-06 18:29:21

BuiltIn

Backup

[Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-06-06 18:29:21

BuiltIn

Backup

4d479a11-f2b5-4f0a-bb1e-d2332aa95cda

[Preview]: Disable Cross Subscription Restore for Backup Vaults

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-06-06 18:29:21

BuiltIn

Security Center

[Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)

2023-06-06 18:29:21

BuiltIn

Security Center

Deploy-Diagnostics-Firewall

[Deprecated]: Azure Security agent should be installed on your Windows virtual machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2023-06-06 18:29:21

BuiltIn

Monitoring

[Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-05-30 30:17:42

ALZ

Cosmos DB

dc2d41d1-4ab1-4666-a3e1-3d51c43e0049

Configure Cosmos DB database accounts to disable local authentication

Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth.

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-05-26 17:43:09

BuiltIn

Azure Databricks

258823f2-4595-4b52-b333-cc96192710d8

Azure Databricks Workspaces should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-05-26 17:43:09

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2023-05-26 17:43:09

BuiltIn

Kubernetes

5450f5bd-9c72-4390-a9c4-a7aba4edfdd2

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (4.0.3 > 4.0.4)

2023-05-26 17:43:09

BuiltIn

Cosmos DB

Cosmos DB database accounts should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-05-26 17:43:09

BuiltIn

Azure Databricks

9c25c9e4-ee12-4882-afd2-11fb9d87893f

Azure Databricks Workspaces should be in a virtual network

Azure Virtual Networks provide enhanced security and isolation for your Azure Databricks Workspaces, as well as subnets, access control policies, and other features to further restrict access. Learn more at: https://docs.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/vnet-inject.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-05-26 17:43:09

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2023-05-26 17:43:09

BuiltIn

Security Center

Deploy Workflow Automation for Microsoft Defender for Cloud alerts

Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.

Fixed
deployIfNotExists

change

Patch (5.0.0 > 5.0.1)

2023-05-26 17:43:09

BuiltIn

Security Center

2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352

Deploy Workflow Automation for Microsoft Defender for Cloud recommendations

Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.

Fixed
deployIfNotExists

change

Patch (5.0.0 > 5.0.1)

2023-05-26 17:43:09

BuiltIn

Azure Databricks

Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption

Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-26 17:43:09

BuiltIn

Azure Databricks

09210db3-d32c-4b2b-b4e1-f72ae920eb11

Configure Azure Databricks Workspaces with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Databricks Workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-05-26 17:43:09

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.2.0 > 4.3.0)

2023-05-26 17:43:09

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2023-05-26 17:43:09

BuiltIn

Security Center

0eddd7f3-3d9b-4927-a07a-806e8ac9486c

Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance

Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.

Fixed
deployIfNotExists

change

Patch (5.0.0 > 5.0.1)

2023-05-26 17:43:09

BuiltIn

Azure Databricks

Configure Azure Databricks workspace to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Databricks workspaces. Learn more at: https://aka.ms/adbpe.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-26 17:43:09

BuiltIn

App Service

Append-AppService-latestTLS

AppService append sites with minimum TLS version to enforce.

Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.

Default
Append
Allowed
Append, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-05-22 22:17:43

ALZ

Monitoring

Deploy-Diagnostics-APIMgmt

[Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-05-22 22:17:43

ALZ

Data Factory

3d02a511-74e5-4dab-a5fd-878704d4a61a

[Preview]: Azure Data Factory pipelines should only communicate with allowed domains

To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy.

Default
Deny
Allowed
Deny, Disabled

add

new Policy

2023-05-22 17:43:18

BuiltIn

Azure Databricks

09210db3-d32c-4b2b-b4e1-f72ae920eb11

Configure Azure Databricks Workspaces with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

Azure Databricks

51c1490f-3319-459c-bbbc-7f391bbed753

Azure Databricks Clusters should disable public IP

Disabling public IP of clusters in Azure Databricks Workspaces improves security by ensuring that the clusters aren't exposed on the public internet. Learn more at: https://learn.microsoft.com/azure/databricks/security/secure-cluster-connectivity.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

Machine Learning

Configure Azure Machine Learning Workspaces to disable public network access

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

Machine Learning

9c25c9e4-ee12-4882-afd2-11fb9d87893f

Azure Machine Learning Workspaces should disable public network access

Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (2.0.0 > 2.0.1)

2023-05-22 17:43:18

BuiltIn

Azure Databricks

Azure Databricks Workspaces should be in a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

Machine Learning

138ff14d-b687-4faa-a81c-898c91a87fa2

Azure Machine Learning Computes should have local authentication methods disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (2.0.0 > 2.0.1)

2023-05-22 17:43:18

BuiltIn

Azure Databricks

Resource logs in Azure Databricks Workspaces should be enabled

Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

Machine Learning

7804b5c7-01dc-4723-969b-ae300cc07ff1

Azure Machine Learning Computes should be in a virtual network

Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

Machine Learning

afe0c3be-ba3b-4544-ba52-0c99672a8ad6

Resource logs in Azure Machine Learning Workspaces should be enabled

Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

Azure Databricks

23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d

Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace

Deploys the diagnostic settings for Azure Databricks Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Databricks Workspace which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

App Service

70adbb40-e092-42d5-a6f8-71c540a5efdb

Configure Function app slots to turn off remote debugging

Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-05-22 17:43:18

BuiltIn

Machine Learning

cca5adfe-626b-4cc6-8522-f5b6ed2391bd

Configure Azure Machine Learning Computes to disable local authentication methods

Default
Modify
Allowed
Modify, Disabled

change

Patch (2.0.0 > 2.0.1)

2023-05-22 17:43:18

BuiltIn

App Service

Configure App Service app slots to turn off remote debugging

Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-05-22 17:43:18

BuiltIn

Azure Databricks

258823f2-4595-4b52-b333-cc96192710d8

Azure Databricks Workspaces should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

Security Center

a1181c5f-672a-477a-979a-7d58aa086233

Security Center standard pricing tier should be selected

The standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in Azure Security Center

Default
Audit
Allowed
Audit, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-05-22 17:43:18

BuiltIn

Azure Databricks

0e7849de-b939-4c50-ab48-fc6b0f5eeba2

Azure Databricks Workspaces should disable public network access

Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead. Learn more at: https://learn.microsoft.com/azure/databricks/administration-guide/cloud-configurations/azure/private-link.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

Machine Learning

f59276f0-5740-4aaf-821d-45d185aa210e

Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace

Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-22 17:43:18

BuiltIn

Machine Learning

090c7b07-b4ed-4561-ad20-e9075f3ccaff

Azure Machine Learning compute instances should be recreated to get the latest software updates

Fixed
[parameters('effects')]

change

Patch (1.0.1 > 1.0.2)

2023-05-22 17:43:18

BuiltIn

Security Center

Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-05-22 17:43:18

BuiltIn

Network

Management port access from the Internet should be blocked

This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.

Default
Deny
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)

2023-05-17 17:17:42

ALZ

Security Center

e27a6dfc-883f-4f9e-97cc-a819fe702400

[Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys)

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-05-16 17:42:35

BuiltIn

SQL

[Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled

This policy is deprecated because it uses unsupported api. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID b4dec045-250a-48c2-b5cc-e0c4eec8b5b4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2023-05-16 17:42:35

BuiltIn

Azure Data Explorer

8945ba5e-918e-4a57-8117-fe615d12e3ba

All Database Admin on Azure Data Explorer should be disabled

Disable all database admin role to restrict granting highly privileged/administrative user role.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-05-16 17:42:35

BuiltIn

Managed Identity

496ca26b-f669-4322-a1ad-06b7b5e41882

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview)

2023-05-12 17:41:51

BuiltIn

Data Factory

Configure private endpoints for Data factories

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-05-12 17:41:51

BuiltIn

Managed Identity

17f4b1cc-c55c-4d94-b1f9-2978f6ac2957

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.3-preview > 1.0.4-preview)

2023-05-12 17:41:51

BuiltIn

Security Center

Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-05-12 17:41:51

BuiltIn

Kubernetes

f36de009-cacb-47b3-b936-9c4c9120d064

[Preview]: No AKS Specific Labels

Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-05-05 17:42:17

BuiltIn

SQL Server

Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment.

Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-05 17:42:17

BuiltIn

Kubernetes

[Preview]: Reserved System Pool Taints

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-05-05 17:42:17

BuiltIn

Guest Configuration

Configure time zone on Windows machines.

This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines.

Fixed
deployIfNotExists

change

Minor (2.0.0 > 2.1.0)

2023-05-05 17:42:17

BuiltIn

Kubernetes

[Preview]: Cannot Edit Individual Nodes

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-05-05 17:42:17

BuiltIn

Kubernetes

[Preview]: Must Have Anti Affinity Rules Set

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-05-05 17:42:17

BuiltIn

Kubernetes

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (8.0.1 > 8.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

46dad49f-8945-44d7-9bb1-2e1542f627d3

Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit

Default
Audit
Allowed
Audit, Disabled

change

Minor (3.0.1 > 3.1.0)

2023-05-01 17:41:52

BuiltIn

App Service

App Service app slots that use Java should use a specified 'Java version'

Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-05-01 17:41:52

BuiltIn

Kubernetes

ebb62a0c-3560-49e1-89ed-27e074e9f8ad

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.1 > 6.1.0)

2023-05-01 17:41:52

BuiltIn

Security Center

[Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 0cfea604-3201-4e14-88fc-fae4c427a6c5. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.1 > 6.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.1 > 6.1.0)

2023-05-01 17:41:52

BuiltIn

Security Center

829b40f3-d3db-4fd2-be46-76663d3aeeb2

[Deprecated]: Configure Azure Defender for DNS to be enabled

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-05-01 17:41:52

BuiltIn

App Service

Function app slots that use Python should use a specified 'Python version'

Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-05-01 17:41:52

BuiltIn

Security Center

Configure Microsoft Defender for Key Vault plan

Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.0.1 > 5.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.1 > 6.1.0)

2023-05-01 17:41:52

BuiltIn

App Service

b99b73e7-074b-4089-9395-b7236f094491

App Service apps that use PHP should use a specified 'PHP version'

Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a PHP version that meets your requirements.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2023-05-01 17:41:52

BuiltIn

Security Center

Configure Azure Defender for Azure SQL database to be enabled

Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-01 17:41:52

BuiltIn

Kubernetes

8e86a5b6-b9bd-49d1-8e21-4bb8a0862222

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (4.0.2 > 4.0.3)

2023-05-01 17:41:52

BuiltIn

Security Center

Configure Azure Defender for servers to be enabled

Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-01 17:41:52

BuiltIn

Security Center

c9ddb292-b203-4738-aead-18e2716e858f

Configure Microsoft Defender for Containers to be enabled

Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.0.1 > 5.1.0)

2023-05-01 17:41:52

BuiltIn

Key Vault

Azure Key Vault should have firewall enabled or public network access disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.1.1 > 3.2.1)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster should not use naked pods

Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.1 > 2.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.0.1 > 7.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (8.0.1 > 8.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (8.0.1 > 8.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (8.0.1 > 8.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.0.1 > 5.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

e3576e28-8b17-4677-84c3-db2990658d64

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.1 > 6.1.0)

2023-05-01 17:41:52

BuiltIn

Security Center

[Deprecated]: MFA should be enabled on accounts with read permissions on your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)

2023-05-01 17:41:52

BuiltIn

Monitoring

Deploy Diagnostic Settings for Service Bus to Log Analytics workspace

Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.0.1 > 7.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.1 > 6.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

5c607a2e-c700-4744-8254-d77e7c9eb5e4

Kubernetes cluster Windows containers should not overcommit cpu and memory

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.1 > 2.1.0)

2023-05-01 17:41:52

BuiltIn

Security Center

[Deprecated]: External accounts with write permissions should be removed from your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 94e1c2ac-cbbe-4cac-a2b5-389c812dee87. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)

2023-05-01 17:41:52

BuiltIn

API Management

ffe25541-3853-4f4e-b71d-064422294b11

API Management should have username and password authentication disabled

To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-01 17:41:52

BuiltIn

App Service

014664e7-e348-41a3-aeb9-566e4ff6a9df

Configure App Service app slots to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-05-01 17:41:52

BuiltIn

Security Center

aa633080-8b72-40c4-a2d7-d00c03e80bed

[Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e3e008c3-56b9-4133-8fd7-d3347377402a. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.0.1 > 5.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.0.1 > 4.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Ensure cluster containers have readiness or liveness probes configured

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.0.1 > 3.1.0)

2023-05-01 17:41:52

BuiltIn

App Service

40e85574-ef33-47e8-a854-7a65c7500560

App Service apps that use Python should use a specified 'Python version'

Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for App Service apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Python version that meets your requirements.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (4.0.0 > 4.1.0)

2023-05-01 17:41:52

BuiltIn

SQL

Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-05-01 17:41:52

BuiltIn

SQL

e27a6dfc-883f-4f9e-97cc-a819fe702400

[Deprecated]: Azure PostgreSQL flexible server should have Azure Active Directory Only Authentication enabled

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-05-01 17:41:52

BuiltIn

Security Center

Configure Azure Defender for Resource Manager to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-05-01 17:41:52

BuiltIn

Kubernetes

74c30959-af11-47b3-9ed2-a26e03f427a3

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.0.1 > 4.1.0)

2023-05-01 17:41:52

BuiltIn

Security Center

[Deprecated]: Configure Microsoft Defender for Storage (Classic) to be enabled

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-05-01 17:41:52

BuiltIn

App Service

e1d1b522-02b0-4d18-a04f-5ab62d20445f

Function app slots that use Java should use a specified 'Java version'

Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. This policy only applies to Linux apps. This policy requires you to specify a Java version that meets your requirements.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-05-01 17:41:52

BuiltIn

Kubernetes

5f76cf89-fbf2-47fd-a3f4-b891fa780b60

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.0.1 > 7.1.0)

2023-05-01 17:41:52

BuiltIn

Security Center

[Deprecated]: External accounts with read permissions should be removed from your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e9ac8f8e-ce22-4355-8f04-99b911d6be52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (9.0.1 > 9.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

9c014953-ef68-4a98-82af-fd0f6b2306c8

[Preview]: Kubernetes clusters should restrict creation of given resource type

Given Kubernetes resource type should not be deployed in certain namespace.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (2.1.1-preview > 2.2.0-preview)

2023-05-01 17:41:52

BuiltIn

App Service

App Service app slots that use Python should use a specified 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-05-01 17:41:52

BuiltIn

App Service

f466b2a6-823d-470d-8ea5-b031e72d79ae

App Service app slots that use PHP should use a specified 'PHP version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (9.0.1 > 9.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

fa3a6357-c6d6-4120-8429-855577ec0063

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.0.1 > 7.1.0)

2023-05-01 17:41:52

BuiltIn

App Service

Configure Function app slots to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-05-01 17:41:52

BuiltIn

App Service

App Service apps that use Java should use a specified 'Java version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.1 > 2.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

689f7782-ef2c-4270-a6d0-7664869076bd

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.0.1 > 5.1.0)

2023-05-01 17:41:52

BuiltIn

Security Center

Configure Microsoft Defender CSPM to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-01 17:41:52

BuiltIn

Kubernetes

f8456c1c-aa66-4dfb-861a-25d127b775c9

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.0.1 > 7.1.0)

2023-05-01 17:41:52

BuiltIn

Security Center

[Deprecated]: External accounts with owner permissions should be removed from your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 339353f6-2387-4a45-abe4-7f529d121046. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)

2023-05-01 17:41:52

BuiltIn

Security Center

9297c21d-2ed6-4474-b48f-163f75654ce3

[Deprecated]: MFA should be enabled for accounts with write permissions on your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (3.0.1 > 3.0.1-deprecated)

2023-05-01 17:41:52

BuiltIn

App Service

Function apps that use Python should use a specified 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (4.0.0 > 4.1.0)

2023-05-01 17:41:52

BuiltIn

App Service

Function apps that use Java should use a specified 'Java version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed pull policy

Restrict containers' pull policy to enforce containers to use only allowed images on deployments

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.0.1 > 3.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

[Deprecated]: Kubernetes clusters should gate deployment of vulnerable images

This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview)

2023-05-01 17:41:52

BuiltIn

Kubernetes

5485eac0-7e8f-4964-998b-a44f4f0c1e75

Kubernetes resources should have required annotations

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.0.1 > 3.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should not run as ContainerAdministrator

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.0.1 > 5.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (9.0.1 > 9.1.0)

2023-05-01 17:41:52

BuiltIn

Kubernetes

50ea7265-7d8c-429e-9a7d-ca1f410191c3

Kubernetes cluster Windows containers should only run with approved user and domain user group

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.1 > 2.1.0)

2023-05-01 17:41:52

BuiltIn

Security Center

Configure Azure Defender for SQL servers on machines to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-05-01 17:41:52

BuiltIn

Security Center

6b1cbf55-e8b6-442f-ba4c-7246b6381474

[Deprecated]: Deprecated accounts should be removed from your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)

2023-05-01 17:41:52

BuiltIn

Cache

Append-Redis-disableNonSslPort

Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled.

Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.

Default
Append
Allowed
Append, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-04-25 25:17:42

ALZ

Guest Configuration

a2d0e922-65d0-40c4-8f87-ea6da2d307a2

Audit Windows machines that do not restrict the minimum password length to specified number of characters

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-04-25 17:42:14

BuiltIn

Guest Configuration

4ceb8dc2-559c-478b-a15b-733fbf1e3738

Audit Windows machines that do not have the maximum password age set to specified number of days

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-04-25 17:42:14

BuiltIn

Guest Configuration

5b054a0d-39e2-4d53-bea3-9734cad2c69b

Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-04-25 17:42:14

BuiltIn

Security Center

237b38db-ca4d-4259-9e47-7882441ca2c0

Deploy export to Event Hub for Microsoft Defender for Cloud data

Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.

Fixed
deployIfNotExists

change

Minor (4.1.0 > 4.2.0)

2023-04-25 17:42:14

BuiltIn

Guest Configuration

Audit Windows machines that do not have the minimum password age set to specified number of days

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-04-25 17:42:14

BuiltIn

Security Center

af9f6c70-eb74-4189-8d15-e4f11a7ebfd4

Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data

Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-04-25 17:42:14

BuiltIn

API Management

1b0d74ac-4b43-4c39-a15f-594385adc38d

Modify API Management to disable username and password authentication

To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication.

Default
Modify
Allowed
Modify

change

Minor (1.0.0 > 1.1.0)

2023-04-17 17:42:20

BuiltIn

Security Center

67529aa1-5285-4b1c-8e6f-5ccd861ac98e

Microsoft Defender for APIs should be enabled

Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2023-04-17 17:42:20

BuiltIn

Managed Grafana

Configure Azure Managed Grafana workspaces to disable public network access

Disable public network access for your Azure Managed Grafana workspace so that it's not accessible over the public internet. This can reduce data leakage risks.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-04-17 17:42:20

BuiltIn

SQL Server

f36de009-cacb-47b3-b936-9c4c9120d064

Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment.

Enable or disable SQL best practices assessment on the SQL server instances on your Arc-enabled servers to evaluate best practices. Learn more at https://aka.ms/azureArcBestPracticesAssessment.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-04-17 17:42:20

BuiltIn

Security Center

ffe25541-3853-4f4e-b71d-064422294b11

[Deprecated]: Configure Microsoft Defender for APIs should be enabled

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2023-04-17 17:42:20

BuiltIn

API Management

API Management should have username and password authentication disabled

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-04-17 17:42:20

BuiltIn

Network

Deny-RDP-From-Internet

[Deprecated] RDP access from the Internet should be blocked

This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html

Default
Deny
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated)

Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ

2023-04-17 17:17:42

ALZ

SQL

Deploy-Sql-Tde

[Deprecated] Deploy SQL Database Transparent Data Encryption

Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.0-deprecated > 1.1.1-deprecated)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn

2023-04-17 17:17:42

ALZ

Key Vault

Azure Key Vault should have firewall enabled or public network access disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (3.1.0 > 3.1.1)

2023-04-11 17:42:55

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2023-04-06 17:42:16

BuiltIn

Monitoring

3e9965dc-cc13-47ca-8259-a4252fd0cf7b

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-04-06 17:42:16

BuiltIn

Network

Configure virtual network to enable Flow Log and Traffic Analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-04-06 17:42:16

BuiltIn

Monitoring

Windows virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-04-06 17:42:16

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-04-06 17:42:16

BuiltIn

Monitoring

36fd7371-8eb7-4321-9c30-a7100022d048

Linux virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-04-06 17:42:16

BuiltIn

BuiltInPolicyTest

Requires resources to not have a specific tag. This is a versioning test built-in.

Denies the creation of a resource that contains the given tag. Does not apply to resource groups.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-04-06 17:42:16

BuiltIn

Monitoring

27960feb-a23c-4577-8d36-ef8b5f35e0be

Linux virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-04-06 17:42:16

BuiltIn

Network

All flow log resources should be in enabled state

Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-04-06 17:42:16

BuiltIn

Monitoring

2f080164-9f4d-497e-9db6-416dc9f7b48a

Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-04-06 17:42:16

BuiltIn

Network

Network Watcher flow logs should have traffic analytics enabled

Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-04-06 17:42:16

BuiltIn

Network

4c3c6c5f-0d47-4402-99b8-aa543dd8bcee

Audit flow logs configuration for every virtual network

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-04-06 17:42:16

BuiltIn

Monitoring

ae62c456-33de-4dc8-b100-7ce9028a7d99

Windows virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-04-06 17:42:16

BuiltIn

Managed Identity

[Preview]: Managed Identity Federated Credentials from Azure Kubernetes should be from trusted sources

This policy limits federeation with Azure Kubernetes clusters to only clusters from approved tenants, approved regions, and a specific exception list of additional clusters.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2023-04-06 17:42:16

BuiltIn

Monitoring

cd6f7aff-2845-4dab-99f2-6d1754a754b0

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-04-06 17:42:16

BuiltIn

Network

Deploy a Flow Log resource with target virtual network

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-04-06 17:42:16

BuiltIn

Monitoring

Configure Linux Arc-enabled machines to run Azure Monitor Agent

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.2.0 > 2.3.0)

2023-04-06 17:42:16

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.1.0 > 4.2.0)

2023-04-06 17:42:16

BuiltIn

Network

146412e9-005c-472b-9e48-c87b72ac229e

Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-04-06 17:42:16

BuiltIn

SQL

A Microsoft Entra administrator should be provisioned for MySQL servers

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-04-06 17:42:16

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-04-06 17:42:16

BuiltIn

Monitoring

Configure Windows Arc-enabled machines to run Azure Monitor Agent

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.2.0 > 2.3.0)

2023-04-06 17:42:16

BuiltIn

Machine Learning

fd1a8e20-2c4f-4a6c-9354-b58d786d9a1f

Azure Machine Learning compute instances should be recreated to get the latest software updates

Fixed
[parameters('effects')]

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2023-04-06 17:42:16

BuiltIn

Managed Identity

[Preview]: Managed Identity Federated Credentials from GitHub should be from trusted repository owners

This policy limits federation with GitHub repos to only approved repository owners.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2023-04-06 17:42:16

BuiltIn

Managed Identity

2571b7c3-3056-4a61-b00a-9bc5232234f5

[Preview]: Managed Identity Federated Credentials should be from allowed issuer types

This policy limits whether Managed Identities can use federated credentials, which common issuer types are allowed, and provides a list of allowed issuer exceptions.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2023-04-06 17:42:16

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-04-06 17:42:16

BuiltIn

Key Vault

Audit-PrivateLinkDnsZones

Azure Key Vault should have firewall enabled or public network access disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-04-06 17:42:16

BuiltIn

Network

Audit or Deny the creation of Private Link Private DNS Zones

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-04-06 06:17:42

ALZ

SQL

Deploy-Sql-Tde

[Deprecated] Deploy SQL Database Transparent Data Encryption

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn

2023-04-06 06:17:42

ALZ

Monitoring

Deploy-Diagnostics-VWanS2SVPNGW

[Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2023-04-06 06:17:42

ALZ

Network

Deny-RDP-From-Internet

[Deprecated] RDP access from the Internet should be blocked

This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html

Default
Deny
Allowed
Audit, Deny, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Management port access from the Internet should be blocked (Deny-MgmtPorts-From-Internet) Custom ALZ

2023-04-06 06:17:42

ALZ

Monitoring

[Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-04-06 06:17:42

ALZ

Network

Deploy-Diagnostics-EventGridTopic

Management port access from the Internet should be blocked

This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

Replaces: [Deprecated] RDP access from the Internet should be blocked (Deny-RDP-From-Internet)

2023-04-06 06:17:42

ALZ

Monitoring

[Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-04-06 06:17:42

ALZ

Cost Optimization

Audit-ServerFarms-UnusedResourcesCostOptimization

Unused App Service plans driving cost should be avoided

Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-04-06 06:17:42

ALZ

Compute

Deploy-Vm-autoShutdown

Deploy Virtual Machine Auto Shutdown Schedule

Deploys an auto shutdown schedule to a virtual machine

Fixed
deployIfNotExists

add

new Policy

2023-04-06 06:17:42

ALZ

Cost Optimization

Audit-Disks-UnusedResourcesCostOptimization

Unused Disks driving cost should be avoided

Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-04-06 06:17:42

ALZ

Cost Optimization

Audit-PublicIpAddresses-UnusedResourcesCostOptimization

Unused Public IP addresses driving cost should be avoided

Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-04-06 06:17:42

ALZ

Security Center

74c30959-af11-47b3-9ed2-a26e03f427a3

[Deprecated]: Configure Microsoft Defender for Storage (Classic) to be enabled

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-03-31 17:44:15

BuiltIn

Security Center

17bc14a7-92e1-4551-8b8c-80f36953e166

Configure Microsoft Defender for Storage to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-03-31 17:44:15

BuiltIn

Security Center

Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only)

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-03-31 17:44:15

BuiltIn

API Management

7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2

Configure API Management services to disable access to API Management public service configuration endpoints

To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-31 17:44:15

BuiltIn

Cosmos DB

da69ba51-aaf1-41e5-8651-607cd0b37088

Configure CosmosDB accounts to disable public network access

Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation.

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-03-31 17:44:15

BuiltIn

Security Center

405c5871-3e91-4644-8a63-58e19d68ff5b

[Deprecated]: Microsoft Defender for Storage (Classic) should be enabled

Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.3 > 1.0.4)

2023-03-31 17:44:15

BuiltIn

Key Vault

Azure Key Vault should disable public network access

Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-31 17:44:15

BuiltIn

Monitoring

cd906338-3453-47ba-9334-2d654bf845af

Azure Front Door Standard or Premium (Plus WAF) should have resource logs enabled

Enable Resource logs for Azure Front Door Standard or Premium (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-03-31 17:44:15

BuiltIn

API Management

1b0d74ac-4b43-4c39-a15f-594385adc38d

Modify API Management to disable username and password authentication

Default
Modify
Allowed
Modify

add

new Policy

2023-03-31 17:44:15

BuiltIn

Network

ca85ef9a-741d-461d-8b7a-18c2da82c666

Azure Web Application Firewall on Azure Application Gateway should have request body inspection enabled

Ensure that Web Application Firewalls associated to Azure Application Gateways have Request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-03-31 17:44:15

BuiltIn

API Management

df73bd95-24da-4a4f-96b9-4e8b94b402bd

API Management should disable public network access to the service configuration endpoints

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-03-31 17:44:15

BuiltIn

Network

4598f028-de1f-4694-8751-84dceb5f86b9

Azure Web Application Firewall on Azure Front Door should have request body inspection enabled

Ensure that Web Application Firewalls associated to Azure Front Doors have request body inspection enabled. This allows the WAF to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-03-31 17:44:15

BuiltIn

Key Vault

e52e8487-4a97-48ac-b3e6-1c3cef45d298

Key vaults should have deletion protection enabled

Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-03-31 17:44:15

BuiltIn

Network

Enable Rate Limit rule to protect against DDoS attacks on Azure Front Door WAF

The Azure Web Application Firewall (WAF) rate limit rule for Azure Front Door controls the number of requests allowed from a particular client IP address to the application during a rate limit duration.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-03-31 17:44:15

BuiltIn

API Management

b741306c-968e-4b67-b916-5675e5c709f4

API Management direct management endpoint should not be enabled

The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.1 > 1.0.2)

2023-03-31 17:44:15

BuiltIn

Network

882e19a6-996f-400e-a30f-c090887254f4

Migrate WAF from WAF Config to WAF Policy on Application Gateway

If you have WAF Config instead of WAF Policy, then you may want to move to the new WAF Policy. Going forward, the firewall policy will support WAF policy settings, managed rulesets, exclusions, and disabled rule-groups.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-03-31 17:44:15

BuiltIn

API Management

ef619a2c-cc4d-4d03-b2ba-8c94a834d85b

API Management services should use a virtual network

Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2023-03-31 17:44:15

BuiltIn

Storage

361c2074-3595-4e5d-8cab-4f21dffc835c

[Deprecated]: Deploy Defender for Storage (Classic) on storage accounts

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-03-31 17:44:15

BuiltIn

SQL

6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9

[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.3.0 > 3.4.0)

2023-03-31 17:44:15

BuiltIn

Monitoring

Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

71153be3-4742-4aae-9aec-150f7589311b

Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Azure Databricks

9c25c9e4-ee12-4882-afd2-11fb9d87893f

Azure Databricks Workspaces should be in a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-03-27 17:43:07

BuiltIn

Monitoring

dfbfceaa-14b2-4a90-a679-d169fa6a6a38

Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e

Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

f5094957-e0f7-4af2-9e14-13d60141dc4a

Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

8d0726a6-abae-4b04-9d2e-1f2f67a47e6d

Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Azure Databricks

09210db3-d32c-4b2b-b4e1-f72ae920eb11

Configure Azure Databricks Workspaces with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-03-27 17:43:07

BuiltIn

Monitoring

fc744b31-a930-4eb5-bc06-e81f98bf7214

Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

480851ae-9ff3-49d1-904c-b5bd6f83f1ec

Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Azure Update Manager

a285df35-0164-4f4d-9e04-c39056742c55

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.2.0-preview > 3.3.0-preview)

2023-03-27 17:43:07

BuiltIn

Monitoring

Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

App Service

a08ae1ab-8d1d-422b-a123-df82b307ba61

App Service app slots should have remote debugging turned off

Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-03-27 17:43:07

BuiltIn

Monitoring

d9f11fea-dd45-46aa-8908-b7a146f1e543

Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

ae48c709-d2b4-4fad-8c5c-838524130aa4

Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

76539a09-021e-4300-953b-4c6018ac26dc

Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

73fb42d8-b57f-41cd-a840-8f4dedb1dd27

Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

3d034ef2-001c-46f6-a47b-e6e4a74ff89b

Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

eb5a4c26-04cb-4ab1-81cb-726dc58df772

Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

a853abad-dfa4-4bf5-aaa1-04cb10c02d23

Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

5f6f2aba-e57f-42ed-9aeb-ffa7321a56db

Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

f6d5d5d5-0fa9-4257-b820-69c35016c973

Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Azure Databricks

0eddd7f3-3d9b-4927-a07a-806e8ac9486c

Configure Azure Databricks workspace to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-03-27 17:43:07

BuiltIn

Monitoring

3a8ff864-d881-44ce-bed3-0c63ede634cb

Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

8d253bba-a338-4fd9-9752-6b6edadca1eb

Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

6b2899d8-5fdf-4ade-ba59-f1f82664877b

Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

a81eb966-6696-46b1-9153-bed01569a7d0

Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

9ba29e83-863d-4fec-81d0-16dd87067cc3

Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

fc602c00-2ce3-4556-b615-fa4159517103

Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

792f8b74-dc05-44fd-b90d-340a097b80e6

Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

0628b917-d4b4-4af5-bc2b-b4f87cd173ab

Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

e7c86682-34c1-488a-9aab-9cb279207992

Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Azure Databricks

258823f2-4595-4b52-b333-cc96192710d8

Azure Databricks Workspaces should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Databricks workspaces, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/adbpe.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-03-27 17:43:07

BuiltIn

Monitoring

a142867f-3142-4ac6-b952-ab950a29fca5

Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

e488a548-7afd-43a7-a903-2a6dd36e7504

Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

9e6aee71-3781-4acd-bba7-aac4fb067dfa

Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

1abe42e1-a726-4dee-94c2-79f364dac9b7

Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

API Management

b9b976cc-59ef-468a-807e-19afa2ebfd52

API Management APIs should use only encrypted protocols

To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (2.0.1 > 2.0.2)

2023-03-27 17:43:07

BuiltIn

Monitoring

Enable logging by category group for microsoft.network/p2svpngateways to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Monitoring

a9ebdeda-251a-4311-92be-5167d73b1682

Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-27 17:43:07

BuiltIn

Security Center

45e05259-1eb5-4f70-9574-baf73e9d219b

[Deprecated]: Vulnerabilities in security configuration on your machines should be remediated

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-03-17 18:44:06

BuiltIn

Machine Learning

Azure Machine Learning workspaces should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-03-17 18:44:06

BuiltIn

API Management

92bb331d-ac71-416a-8c91-02f2cb734ce4

API Management calls to API backends should not bypass certificate thumbprint or name validation

To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.1 > 1.0.2)

2023-03-17 18:44:06

BuiltIn

Container Instances

21c469fa-a887-4363-88a9-60bfd6911a15

Configure diagnostics for container group to log analytics workspace

Appends the specified log analytics workspaceId and workspaceKey when any container group which is missing these fields is created or updated. Does not modify the fields of container groups created before this policy was applied until those resource groups are changed.

Default
Append
Allowed
Append, Disabled

add

new Policy

2023-03-17 18:44:06

BuiltIn

Guest Configuration

[Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-17 18:44:06

BuiltIn

Kubernetes

62a3ae95-8169-403e-a2d2-b82141448092

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (4.0.1 > 4.0.2)

2023-03-17 18:44:06

BuiltIn

SignalR

Modify Azure SignalR Service resources to disable public network access

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-17 18:44:06

BuiltIn

Kubernetes

Azure Kubernetes Service clusters should have Defender profile enabled

Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks

Default
Audit
Allowed
Audit, Disabled

change

Patch (2.0.0 > 2.0.1)

2023-03-17 18:44:06

BuiltIn

Machine Learning

21a9766a-82a5-4747-abb5-650b6dbba6d0

[Deprecated]: Azure Machine Learning workspaces should use private link

This policy is deprecated because private link is created after workspace creation, deny action can never succeed. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 45e05259-1eb5-4f70-9574-baf73e9d219b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

2023-03-17 18:44:06

BuiltIn

SignalR

Azure SignalR Service should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-03-17 18:44:06

BuiltIn

Backup

04726aae-4e8d-427c-af7d-ecf56d490022

[Preview]: Configure Azure Recovery Services vaults to disable public network access

Disable public network access for your Recovery services vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-03-10 18:58:56

BuiltIn

Azure Databricks

2cc2c3b5-c2f8-45aa-a9e6-f90d85ae8352

Azure Databricks workspaces should be Premium SKU that supports features like private link, customer-managed key for encryption

Only allow Databricks workspace with Premium Sku that your organization can deploy to support features like Private Link, customer-managed key for encryption. Learn more at: https://aka.ms/adbpe.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-03-10 18:58:56

BuiltIn

Managed Grafana

4c8537f8-cd1b-49ec-b704-18e82a42fd58

Configure Azure Managed Grafana workspaces to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Managed Grafana workspaces.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-03-10 18:58:56

BuiltIn

Managed Grafana

bc33de80-97cd-4c11-b6b4-d075e03c7d60

Configure Azure Managed Grafana workspaces with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-03-10 18:58:56

BuiltIn

Azure Update Manager

3dc5edcd-002d-444c-b216-e123bbfa37c0

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.1.0-preview > 3.2.0-preview)

2023-03-03 18:43:58

BuiltIn

Guest Configuration

Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-03-03 18:43:58

BuiltIn

Kubernetes

a8e653d9-b5d4-48a0-afe6-14d881f9ee9a

Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed

Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: https://aka.ms/arc-strimzikafka-doc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-03-03 18:43:58

BuiltIn

Guest Configuration

Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-03-03 18:43:58

BuiltIn

SQL

6b2122c1-8120-4ff5-801b-17625a355590

[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.2.0 > 3.3.0)

2023-03-03 18:43:58

BuiltIn

Kubernetes

Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed

The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0)

2023-02-27 19:03:54

BuiltIn

Automanage

fb97d6e1-5c98-4743-a439-23e0977bad9e

[Preview]: Boot Diagnostics should be enabled on virtual machines

Azure virtual machines should have boot diagniostics enabled.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-02-27 19:03:54

BuiltIn

Security Center

[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension

Configure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview)

2023-02-27 19:03:54

BuiltIn

Security Center

009259b0-12e8-42c9-94e7-7af86aa58d13

[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension

Configure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)

2023-02-27 19:03:54

BuiltIn

Security Center

[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension

Configure VMSS created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2023-02-27 19:03:54

BuiltIn

Security Center

f7735886-8927-431f-b201-c953922512b8

[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets

Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machine scale sets.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)

2023-02-27 19:03:54

BuiltIn

Azure Data Explorer

Azure Data Explorer cluster should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Data Explorer cluster, data leakage risks are reduced. Learn more about private links at: https://learn.microsoft.com/en-us/azure/data-explorer/security-network-private-endpoint.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-02-27 19:03:54

BuiltIn

Azure Data Explorer

a47272e1-1d5d-4b0b-b366-4873f1432fe0

Configure Azure Data Explorer clusters with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Data Explorer, you can reduce data leakage risks. Learn more at: [ServiceSpecificAKA.ms].

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-02-27 19:03:54

BuiltIn

Managed Grafana

3a97e513-f75e-4230-8137-1efad4eadbbc

Azure Managed Grafana workspaces should use private link

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-02-27 19:03:54

BuiltIn

Security Center

43bc7be6-5e69-4b0d-a2bb-e815557ca673

[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension

Configure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview)

2023-02-27 19:03:54

BuiltIn

Azure Data Explorer

Public network access on Azure Data Explorer should be disabled

Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-02-27 19:03:54

BuiltIn

Azure Data Explorer

7b32f193-cb28-4e15-9a98-b9556db0bafa

Configure Azure Data Explorer to disable public network access

Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters .

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-02-27 19:03:54

BuiltIn

Security Center

0adc5395-9169-4b9b-8687-af838d69410a

[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension

Configure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview)

2023-02-27 19:03:54

BuiltIn

Kubernetes

Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension

Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, old suffix: preview (1.1.0-preview > 1.1.0)

2023-02-27 19:03:54

BuiltIn

Security Center

e8775d5a-73b7-4977-a39b-833ef0114628

[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets

Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machine scale sets.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview)

2023-02-27 19:03:54

BuiltIn

Managed Grafana

Azure Managed Grafana workspaces should disable public network access

Disabling public network access improves security by ensuring that your Azure Managed Grafana workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your workspaces.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-02-27 19:03:54

BuiltIn

Azure Data Explorer

1fec9658-933f-4b3e-bc95-913ed22d012b

Azure Data Explorer should use a SKU that supports private link

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-02-27 19:03:54

BuiltIn

Monitoring

Deploy-Diagnostics-PostgreSQL

[Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2023-02-23 23:18:45

ALZ

Monitoring

a22065a3-3b04-46ff-b84c-2d30e5c300d0

[Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2023-02-23 23:18:45

ALZ

Desktop Virtualization

Azure Virtual Desktop hostpools should disable public network access only on session hosts

Disabling public network access for your Azure Virtual Desktop hostpool session hosts, but allowing public access for end users improves security by limiting exposure to the public internet. Learn more at: https://aka.ms/avdprivatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Desktop Virtualization

7b331e6b-6096-4395-a754-758a64505f19

Configure Azure Virtual Desktop hostpools with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Virtual Desktop resources, you can improve security and keep your data safe. Learn more at: https://aka.ms/avdprivatelink.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Compute

fd4726f4-a5fc-4540-912d-67c96fc992d5

[Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated)

2023-02-16 18:41:08

BuiltIn

Automanage

[Preview]: Automanage Configuration Profile Assignment should be Conformant

Resources managed by Automanage should have a status of Conformant or ConformantCorrected.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Automanage

e4953962-5ae4-43eb-bb92-d66fd5563487

[Preview]: A managed identity should be enabled on your machines

Resources managed by Automanage should have a managed identity.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Key Vault

ca950cd7-02f7-422e-8c23-91ff40f169c1

[Deprecated]: Private endpoint should be configured for Key Vault

The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix changed: new suffix: deprecated; old suffix: preview (1.1.0-preview > 1.1.1-deprecated)

2023-02-16 18:41:08

BuiltIn

Desktop Virtualization

Azure Virtual Desktop service should use private link

Using Azure Private Link with your Azure Virtual Desktop resources can improve security and keep your data safe. Learn more about private links at: https://aka.ms/avdprivatelink.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Desktop Virtualization

c25dcf31-878f-4eba-98eb-0818fdc6a334

Azure Virtual Desktop hostpools should disable public network access

Disabling public network access improves security and keeps your data safe by ensuring that access to the Azure Virtual Desktop service is not exposed to the public internet. Learn more at: https://aka.ms/avdprivatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Desktop Virtualization

e84e8a9a-f43e-46e3-9458-bbcfb2d7e429

Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts

Disable public network access for your Azure Virtual Desktop hostpool session hosts, but allow public access for end users. This allows users to still access AVD service while ensuring the session host is only accessible through private routes. Learn more at: https://aka.ms/avdprivatelink.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Monitoring

87ac3038-c07a-4b92-860d-29e270a4f3cd

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines

Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.1 > 3.1.0)

2023-02-16 18:41:08

BuiltIn

Desktop Virtualization

Azure Virtual Desktop workspaces should disable public network access

Disabling public network access for your Azure Virtual Desktop workspace resource prevents the feed from being accessible over the public internet. Allowing only private network access improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Monitoring

02aa841c-42e8-492f-a43d-1f2c67e58d41

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets

Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.1 > 3.1.0)

2023-02-16 18:41:08

BuiltIn

Desktop Virtualization

Configure Azure Virtual Desktop workspaces with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Desktop Virtualization

ce6ebf1d-0b94-4df9-9257-d8cacc238b4f

Configure Azure Virtual Desktop workspaces to disable public network access

Disable public network access for your Azure Virtual Desktop workspace resource so the feed is not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Desktop Virtualization

9427df23-0f42-4e1e-bf99-a6133d841c4a

Configure Azure Virtual Desktop hostpool resources to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Virtual Desktop resources. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Desktop Virtualization

2a0913ff-51e7-47b8-97bb-ea17127f7c8d

Configure Azure Virtual Desktop hostpools to disable public network access

Disable public network access for session hosts and end users on your Azure Virtual Desktop hostpool resource so that it's not accessible over the public internet. This improves security and keeps your data safe. Learn more at: https://aka.ms/avdprivatelink.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Desktop Virtualization

34804460-d88b-4922-a7ca-537165e060ed

Configure Azure Virtual Desktop workspace resources to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2023-02-16 18:41:08

BuiltIn

Monitoring

Deploy-Diagnostics-VNetGW

[Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.1.0 > 1.1.1)

2023-02-16 16:18:41

ALZ

Monitoring

Deploy-Diagnostics-Website

[Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-02-16 16:18:41

ALZ

Monitoring

fe85de62-a656-4b79-9d94-d95c89319bd9

Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

39741c6f-5e8b-4511-bba4-6662d0e0e2ac

Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

ed6ae75a-828f-4fea-88fd-dead1145f1dd

Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

d147ba9f-3e17-40b1-9c23-3bca478ba804

Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Managed Identity

b9b976cc-59ef-468a-807e-19afa2ebfd52

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview)

2023-02-10 18:41:56

BuiltIn

Monitoring

Enable logging by category group for microsoft.network/p2svpngateways to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

9f4e810a-899e-4e5e-8174-abfcf15739a3

Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

dfbfceaa-14b2-4a90-a679-d169fa6a6a38

Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

f873a711-0322-4744-8322-7e62950fbec2

Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

0628b917-d4b4-4af5-bc2b-b4f87cd173ab

Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

e9c56c41-d453-4a80-af93-2331afeb3d82

Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

856331d3-0169-4dd9-9b04-cbb2ad3d1cf2

Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

edf35972-ed56-4c2f-a4a1-65f0471ba702

Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

f08edf17-5de2-4966-8c62-a50a3f4368ff

Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

4b05de63-3ad2-4f6d-b421-da21f1328f3b

Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

76539a09-021e-4300-953b-4c6018ac26dc

Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b

Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

0277b2d5-6e6f-4d97-9929-a5c4eab56fd7

Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

3d034ef2-001c-46f6-a47b-e6e4a74ff89b

Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

0f708273-cf83-4d29-b31b-ebaf8d0eb8c2

Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

d9f11fea-dd45-46aa-8908-b7a146f1e543

Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

ae48c709-d2b4-4fad-8c5c-838524130aa4

Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

8d253bba-a338-4fd9-9752-6b6edadca1eb

Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

9ba29e83-863d-4fec-81d0-16dd87067cc3

Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

2e8a8853-917a-4d26-9c3a-c92a7fa031e8

Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9

Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

55d1f543-d1b0-4811-9663-d6d0dbc6326d

Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Managed Identity

9e6aee71-3781-4acd-bba7-aac4fb067dfa

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview)

2023-02-10 18:41:56

BuiltIn

Monitoring

Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

SQL

4cabf9fc-4ed1-4990-bbaf-7248fb8751bc

Public network access should be disabled for PostgreSQL servers

Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (2.0.0 > 2.0.1)

2023-02-10 18:41:56

BuiltIn

Monitoring

Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Guest Configuration

f6d5d5d5-0fa9-4257-b820-69c35016c973

[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)

2023-02-10 18:41:56

BuiltIn

Monitoring

Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

a853abad-dfa4-4bf5-aaa1-04cb10c02d23

Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

e7c86682-34c1-488a-9aab-9cb279207992

Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

c3b912c2-7f5b-47ac-bd52-8c85a7667961

Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

3a8ff864-d881-44ce-bed3-0c63ede634cb

Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

03a087c0-b49f-4440-9ae5-013703eccc8c

Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

792f8b74-dc05-44fd-b90d-340a097b80e6

Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

3dd58519-427e-42a4-8ffc-e415a3c716f1

Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d

Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

a81eb966-6696-46b1-9153-bed01569a7d0

Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

API Management

f1cc7827-022c-473e-836e-5a51cae0b249

API Management secret named values should be stored in Azure Key Vault

Named values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret named values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.1 > 1.0.2)

2023-02-10 18:41:56

BuiltIn

Monitoring

8d0726a6-abae-4b04-9d2e-1f2f67a47e6d

Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

50cebe4c-8021-4f07-bcb2-6c80622444a9

Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

fc744b31-a930-4eb5-bc06-e81f98bf7214

Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Azure Update Manager

106cd3bd-50a1-466c-869f-f9c2d310477b

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview)

2023-02-10 18:41:56

BuiltIn

Monitoring

Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

0925a080-ab8d-44a1-a39c-61e184b4d8f9

Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

b797045a-b3cd-46e4-adc4-bbadb3381d78

Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

b90ec596-faa6-4c61-9515-34085703e260

Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

e488a548-7afd-43a7-a903-2a6dd36e7504

Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

6567d3f3-42d0-4cfb-9606-9741ba60fa07

Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

bf6af3d2-fbd5-458f-8a40-2556cf539b45

Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

f8352124-56fa-4f94-9441-425109cdc14b

Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

8656d368-0643-4374-a63f-ae0ed4da1d9a

Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

1513498c-3091-461a-b321-e9b433218d28

Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

cac9e1c5-c3cb-47fa-8d4c-88b8559262d2

Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

be9259e2-a221-4411-84fd-dd22c6691653

Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

a142867f-3142-4ac6-b952-ab950a29fca5

Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

aec4c33f-2f2a-4fd3-91cd-24a939513c60

Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

1abe42e1-a726-4dee-94c2-79f364dac9b7

Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

eb5a4c26-04cb-4ab1-81cb-726dc58df772

Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

6f3f5778-f809-4755-9d8f-bd5a5a7add85

Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

a285df35-0164-4f4d-9e04-c39056742c55

Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

b4a9c220-1d62-4163-a17b-30db7d5b7278

Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

818719e5-1338-4776-9a9d-3c31e4df5986

Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

6b2899d8-5fdf-4ade-ba59-f1f82664877b

Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

46b2dd5d-3936-4347-8908-b298ea4466d3

Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e

Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

8fc4ca5f-6abc-4b30-9565-0bd91ac49420

Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

73fb42d8-b57f-41cd-a840-8f4dedb1dd27

Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

3496f6fd-57ba-485c-8a14-183c4493b781

Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

fc66c506-9397-485e-9451-acc1525f0070

Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

90c90eda-bfe7-4c67-bf26-410420ed1047

Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

f969646f-b6b8-45a0-b736-bf9b4bb933dc

Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

0da6faeb-d6c6-4f6e-9f49-06277493270b

Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

b88bfd90-4da5-43eb-936f-ae1481924291

Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

00ec9865-beb6-4cfd-82ed-bd8f50756acd

Enable logging by category group for microsoft.network/p2svpngateways to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

567c93f7-3661-494f-a30f-0a94d9bfebf8

Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb

Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

56288eb2-4350-461d-9ece-2bb242269dce

Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

5f6f2aba-e57f-42ed-9aeb-ffa7321a56db

Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

20f21bc7-b0b8-4d57-83df-5a8a0912b934

Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

fc602c00-2ce3-4556-b615-fa4159517103

Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

0e0c742d-5031-4e65-bf96-1bee7cf55740

Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

69214fad-6742-49a9-8f71-ee9d269364ab

Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

39aa567d-69c2-4cc0-aaa9-76c6d4006b14

Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

71153be3-4742-4aae-9aec-150f7589311b

Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

SQL

b4dec045-250a-48c2-b5cc-e0c4eec8b5b4

A Microsoft Entra administrator should be provisioned for PostgreSQL servers

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

a9ebdeda-251a-4311-92be-5167d73b1682

Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

6b359d8f-f88d-4052-aa7c-32015963ecc1

Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

d3e11828-02c8-40d2-a518-ad01508bb4d7

Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

14e81583-c89c-47db-af0d-f9ddddcccd9f

Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

480851ae-9ff3-49d1-904c-b5bd6f83f1ec

Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

34c7546c-d637-4b5d-96ab-93fb6ed07af8

Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

f5094957-e0f7-4af2-9e14-13d60141dc4a

Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

441af8bf-7c88-4efc-bd24-b7be28d4acce

Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

93a604fe-0ec2-4a99-ab8c-7ef08f05555a

Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

69ab8bfc-dc5b-443d-93a7-7531551dec66

Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b

Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

SQL

146412e9-005c-472b-9e48-c87b72ac229e

A Microsoft Entra administrator should be provisioned for MySQL servers

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

614d9fbd-68cd-4832-96db-3362069661b2

Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

e20f31d7-6b6d-4644-962a-ae513a85ab0b

Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

07c818eb-df75-4465-9233-6a8667e86670

Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

a8de4d0a-d637-4684-b70e-6df73b74d117

Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

94d707a8-ce27-4851-9ce2-07dfe96a095b

Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2023-02-10 18:41:56

BuiltIn

Monitoring

Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-02-03 18:39:01

BuiltIn

Monitoring

Windows Arc-enabled machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2023-02-03 18:39:01

BuiltIn

Monitoring

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (6.0.0 > 6.1.0)

2023-02-03 18:39:01

BuiltIn

Monitoring

Configure Windows Arc-enabled machines to run Azure Monitor Agent

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.1.0 > 2.2.0)

2023-02-03 18:39:01

BuiltIn

Monitoring

a6abeaec-4d90-4a02-805f-6b26c4d3fbe9

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.0.0 > 4.1.0)

2023-02-03 18:39:01

BuiltIn

Key Vault

Azure Key Vaults should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.1 > 1.2.1)

2023-02-03 18:39:01

BuiltIn

Monitoring

Linux Arc-enabled machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2023-02-03 18:39:01

BuiltIn

Monitoring

Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-02-03 18:39:01

BuiltIn

Monitoring

0db34a60-64f4-4bf6-bd44-f95c16cf34b9

Configure Linux Arc-enabled machines to run Azure Monitor Agent

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.1.0 > 2.2.0)

2023-02-03 18:39:01

BuiltIn

Network

Deploy a flow log resource with target network security group

Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces.

Fixed
deployIfNotExists

change

Minor (1.0.1 > 1.1.0)

2023-01-27 18:40:07

BuiltIn

API Management

3aa03346-d8c5-4994-a5bc-7652c2a2aef1

API Management subscriptions should not be scoped to all APIs

API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Minor (1.0.0 > 1.1.0)

2023-01-27 18:40:07

BuiltIn

Key Vault

12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5

Azure Key Vault should use RBAC permission model

Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-01-27 18:40:07

BuiltIn

SQL

[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2023-01-27 18:40:07

BuiltIn

SQL

Public network access should be disabled for PostgreSQL flexible servers

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (3.0.0 > 3.0.1)

2023-01-27 18:40:07

BuiltIn

Network

Configure network security groups to enable traffic analytics

Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-01-27 18:40:07

BuiltIn

Network

Deny-MachineLearning-PublicAccessWhenBehindVnet

Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics

If it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2023-01-27 18:40:07

BuiltIn

Machine Learning

Deny public access behind vnet to Azure Machine Learning workspace

Deny public access behind vnet to Azure Machine Learning workspaces.

Default
Deny
Allowed
Audit, Disabled, Deny

change

Patch (1.0.0 > 1.0.1)

2023-01-24 24:18:06

ALZ

Key Vault

a6abeaec-4d90-4a02-805f-6b26c4d3fbe9

Azure Key Vaults should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2023-01-23 18:07:09

BuiltIn

Data Factory

2514263b-bc0d-4b06-ac3e-f262c0979018

SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (2.0.0 > 2.1.0)

2023-01-23 18:07:09

BuiltIn

Backup

[Preview]: Immutability must be enabled for backup vaults

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-01-23 18:07:09

BuiltIn

Key Vault

ed7c8c13-51e7-49d1-8a43-8490431a0da2

Deploy Diagnostic Settings for Key Vault to Event Hub

Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (3.0.0 > 3.0.1)

2023-01-23 18:07:09

BuiltIn

Kubernetes

6b2122c1-8120-4ff5-801b-17625a355590

Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-01-23 18:07:09

BuiltIn

Kubernetes

0adc5395-9169-4b9b-8687-af838d69410a

Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-01-23 18:07:09

BuiltIn

Key Vault

ac673a9a-f77d-4846-b2d8-a57f8e1c01d4

Configure Azure Key Vaults to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2023-01-23 18:07:09

BuiltIn

Key Vault

9d4fad1f-5189-4a42-b29e-cf7929c6b6df

Configure Azure Key Vaults with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2023-01-23 18:07:09

BuiltIn

Backup

9798d31d-6028-4dee-8643-46102185c016

[Preview]: Soft delete should be enabled for Backup Vaults

This policy audits if soft delete is enabled for Backup vaults in the scope. Soft delete can help you recover your data after it has been deleted. Learn more at https://aka.ms/AB-SoftDelete

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2023-01-23 18:07:09

BuiltIn

Data Factory

77d40665-3120-4348-b539-3192ec808307

Azure Data Factory should use a Git repository for source control

Default
Audit
Allowed
Audit, Deny, Disabled

change

Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)

2023-01-13 18:06:06

BuiltIn

Data Factory

Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported

Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Version remains equal, old suffix: preview (2.0.0-preview > 2.0.0)

2023-01-13 18:06:06

BuiltIn

Security Center

Microsoft Defender for APIs should be enabled

Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, new suffix: preview (1.0.0 > 1.0.1-preview)

2023-01-13 18:06:06

BuiltIn

Backup

cbd11fd3-3002-4907-b6c8-579f0e700e13

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.0.0 > 9.1.0)

2023-01-13 18:06:06

BuiltIn

Service Bus

Service Bus Namespaces should disable public network access

Azure Service Bus should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-01-13 18:06:06

BuiltIn

Kubernetes

a451c1ef-c6ca-483d-87ed-f49761e3ffb5

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (4.0.0 > 4.0.1)

2023-01-13 18:06:06

BuiltIn

General

Audit usage of custom RBAC roles

Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-01-13 18:06:06

BuiltIn

Key Vault

86810a98-8e91-4a44-8386-ec66d0de5d57

[Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size

To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-01-13 18:06:06

BuiltIn

Key Vault

1d478a74-21ba-4b9f-9d8f-8e6fced0eec5

[Preview]: Azure Key Vault Managed HSM keys should have an expiration date

To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-01-13 18:06:06

BuiltIn

Guest Configuration

Windows machines should be configured to use secure communication protocols

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (4.0.0 > 4.1.0)

2023-01-13 18:06:06

BuiltIn

Backup

b66ab71c-582d-4330-adfd-ac162e78691e

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.0.0 > 9.1.0)

2023-01-13 18:06:06

BuiltIn

Web PubSub

Azure Web PubSub Service should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Azure Web PubSub Service exclusively require Azure Active Directory identities for authentication.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-01-13 18:06:06

BuiltIn

Web PubSub

17f9d984-90c8-43dd-b7a6-76cb694815c1

Configure Azure Web PubSub Service to disable local authentication

Disable local authentication methods so that your Azure Web PubSub Service exclusively requires Azure Active Directory identities for authentication.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2023-01-13 18:06:06

BuiltIn

Container Registry

e9585a95-5b8c-4d03-b193-dc7eb5ac4c32

Configure Container registries to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2023-01-13 18:06:06

BuiltIn

SQL

057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9

[Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports

This policy is deprecated. The policy ensures that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2023-01-13 18:06:06

BuiltIn

Azure Update Manager

127ef6d7-242f-43b3-9eef-947faf1725d0

Configure periodic checking for missing system updates on azure Arc-enabled servers

Fixed
modify

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2023-01-13 18:06:06

BuiltIn

Data Factory

Azure Data Factory linked services should use Key Vault for storing secrets

To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)

2023-01-13 18:06:06

BuiltIn

Data Factory

85bb39b5-2f66-49f8-9306-77da3ac5130f

Azure Data Factory integration runtime should have a limit for number of cores

To manage your resources and costs, limit the number of cores for an integration runtime.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)

2023-01-13 18:06:06

BuiltIn

Data Factory

6809a3d0-d354-42fb-b955-783d207c62a8

Azure Data Factory linked service resource type should be in allow list

Default
Audit
Allowed
Audit, Deny, Disabled

change

Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)

2023-01-13 18:06:06

BuiltIn

Machine Learning

Azure Machine Learning compute instances should be recreated to get the latest software updates

Fixed
[parameters('effects')]

add

new Policy

2023-01-13 18:06:06

BuiltIn

App Service

86a912f6-9a06-4e26-b447-11b16ba8659f

App Service apps that use PHP should use a specified 'PHP version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2023-01-13 18:06:06

BuiltIn

SQL

Deploy SQL DB transparent data encryption

Enables transparent data encryption on SQL databases

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.1.0 > 2.2.0)

2023-01-13 18:06:06

BuiltIn

Backup

e58fd0c1-feac-4d12-92db-0a7e9421f53e

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.0.0 > 9.1.0)

2023-01-13 18:06:06

BuiltIn

Key Vault

[Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names

To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-01-13 18:06:06

BuiltIn

Security Center

ad27588c-0198-4c84-81ef-08efd0274653

[Deprecated]: Configure Microsoft Defender for APIs should be enabled

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Patch, new suffix: preview (1.0.0 > 1.0.1-preview)

2023-01-13 18:06:06

BuiltIn

Key Vault

[Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration

To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2023-01-13 18:06:06

BuiltIn

Machine Learning

ee40564d-486e-4f68-a5ca-7a621edae0fb

Configure Azure Machine Learning workspace to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2023-01-13 18:06:06

BuiltIn

Backup

9ebbbba3-4d65-4da9-bb67-b22cfaaff090

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (9.0.0 > 9.1.0)

2023-01-13 18:06:06

BuiltIn

Backup

[Preview]: Azure Recovery Services vaults should disable public network access

Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: https://aka.ms/AB-PublicNetworkAccess-Deny.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-01-13 18:06:06

BuiltIn

Event Hub

0602787f-9896-402a-a6e1-39ee63ee435e

Event Hub Namespaces should disable public network access

Azure Event Hub should have public network access disabled. Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2023-01-13 18:06:06

BuiltIn

Guest Configuration

357cbd2d-b5c0-4c73-b40c-6bd84f06ce09

[Preview]: Configure Windows Server to disable local users.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2023-01-04 18:03:56

BuiltIn

Guest Configuration

Deploy-Sql-vulnerabilityAssessments

Configure Linux Server to disable local users.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2023-01-04 18:03:56

BuiltIn

SQL

[Deprecated]: Deploy SQL Database vulnerability Assessments

Deploy SQL Database vulnerability Assessments when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-vulnerabilityAssessments_20230706.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 003
•Monitoring Contributor
•SQL Security Manager
•Storage Account Contributor

change

Patch (1.0.0 > 1.0.1)

Superseded by: Deploy SQL Database Vulnerability Assessments (Deploy-Sql-vulnerabilityAssessments_20230706) Custom ALZ

2023-01-04 04:18:03

ALZ

Security Center

Deploy-ASC-SecurityContacts

Deploy Microsoft Defender for Cloud Security Contacts

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-12-28 28:18:06

ALZ

Guest Configuration

33228571-70a4-4fa1-8ca1-26d0aba8d6ef

Configure Linux Server to disable local users.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

App Service

[Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network

By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-12-21 17:43:51

BuiltIn

Security Center

23057b42-ca8d-4aa0-a3dc-96a98b5b5a3d

Configure ChangeTracking Extension for Linux virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Azure Databricks

Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

09a1f130-7697-42bc-8d84-8a9ea17e5192

Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory

Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Azure Update Manager

Machines should be configured to periodically check for missing system updates

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Azure Update Manager

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

fad40cac-a972-4db0-b204-f1b15cced89a

Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Guest Configuration

Local authentication methods should be disabled on Linux machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

a7acfae7-9497-4a3f-a3b5-a16a50abbe2f

Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Security Center

357cbd2d-b5c0-4c73-b40c-6bd84f06ce09

[Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.1-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Guest Configuration

[Preview]: Configure Windows Server to disable local users.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-12-21 17:43:51

BuiltIn

Monitoring

Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-12-21 17:43:51

BuiltIn

Monitoring

e71c1e29-9c76-4532-8c4b-cb0573b0014c

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-12-21 17:43:51

BuiltIn

Security Center

ChangeTracking extension should be installed on your Linux virtual machine scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

App Service

a691eacb-474d-47e4-b287-b4813ca44222

App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network

By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Guest Configuration

5fe81c49-16b6-4870-9cee-45d13bf902ce

Local authentication methods should be disabled on Windows Servers

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows servers don't have local authentication methods disabled. This is to validate that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Security Center

4bb303db-d051-4099-95d2-e3e1428a4d2c

Configure ChangeTracking Extension for Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Machine Learning

afe0c3be-ba3b-4544-ba52-0c99672a8ad6

Resource logs in Azure Machine Learning Workspaces should be enabled

Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Monitoring

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-12-21 17:43:51

BuiltIn

Azure Update Manager

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

221aac80-54d8-484b-83d7-24f4feac2ce0

Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Security Center

[Preview]: ChangeTracking extension should be installed on your Windows virtual machine

Install ChangeTracking Extension on Windows virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Security Center

1288c8d7-4b05-4e3a-bc88-9053caefc021

Configure ChangeTracking Extension for Linux virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Security Center

Configure ChangeTracking Extension for Windows Arc machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Azure Update Manager

138ff14d-b687-4faa-a81c-898c91a87fa2

Configure periodic checking for missing system updates on azure Arc-enabled servers

Fixed
modify

change

Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Azure Databricks

Resource logs in Azure Databricks Workspaces should be enabled

Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Security Center

8893442c-e7cb-4637-bab8-299a5d4ed96a

[Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.1-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Security Center

[Preview]: ChangeTracking extension should be installed on your Linux virtual machine

Install ChangeTracking Extension on Linux virtual machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Azure Databricks

51c1490f-3319-459c-bbbc-7f391bbed753

Azure Databricks Clusters should disable public IP

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

App Service

ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd

[Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network

By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

ef9fe2ce-a588-4edd-829c-6247069dcfdb

Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory

Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Security Center

938c4981-c2c9-4168-9cd6-972b8675f906

Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

1142b015-2bd7-41e0-8645-a531afe09a1e

Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Security Center

5747353b-1ca9-42c1-a4dd-b874b894f3d4

Configure ChangeTracking Extension for Linux Arc machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

App Service

App Service app slots should enable configuration routing to Azure Virtual Network

By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Monitoring

801543d1-1953-4a90-b8b0-8cf6d41473a5

Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2022-12-21 17:43:51

BuiltIn

App Service

App Service apps should enable configuration routing to Azure Virtual Network

By default, app configuration such as pulling container images and mounting content storage will not be routed through the regional virtual network integration. Using the API to set routing options to true enables configuration traffic through the Azure Virtual Network. These settings allow features like network security groups and user defined routes to be used, and service endpoints to be private. For more information, visit https://aka.ms/appservice-vnet-configuration-routing.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

7f89b1eb-583c-429a-8828-af049802c1d9

Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Monitoring

Audit diagnostic setting for selected resource types

Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.

Fixed
AuditIfNotExists

change

Patch (2.0.0 > 2.0.1)

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

bef2d677-e829-492d-9a3d-f5a20fda818f

Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Monitoring

f5c0bfb3-acea-47b1-b477-b0edcdf6edc1

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-12-21 17:43:51

BuiltIn

App Service

App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network

By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

b6faa975-0add-4f35-8d1c-70bba45c4424

Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.1.1-preview > 3.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Monitoring

Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2022-12-21 17:43:51

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.1-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Security Center

f59276f0-5740-4aaf-821d-45d185aa210e

Configure ChangeTracking Extension for Windows virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Machine Learning

Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Monitoring

4bb303db-d051-4099-95d2-e3e1428a4d00

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (5.0.0 > 6.0.0)

2022-12-21 17:43:51

BuiltIn

Security Center

ChangeTracking extension should be installed on your Windows virtual machine scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

8fd85785-1547-4a4a-bf90-d5483c9571c5

Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Kubernetes

c5110b6e-5272-4989-9935-59ad06fdf341

Azure Kubernetes Clusters should enable Container Storage Interface(CSI)

The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, https://aka.ms/aks-csi-driver

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

ad1eeff9-20d7-4c82-a04e-903acab0bfc1

Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Monitoring

4485d24b-a9d3-4206-b691-1fad83bc5007

Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-12-21 17:43:51

BuiltIn

ChangeTrackingAndInventory

Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-12-21 17:43:51

BuiltIn

Storage

Configure diagnostic settings for Table Services to Log Analytics workspace

Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Patch (4.0.0 > 4.0.1)

2022-12-21 17:43:51

BuiltIn

Storage

Configure diagnostic settings for Queue Services to Log Analytics workspace

Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Patch (4.0.0 > 4.0.1)

2022-12-21 17:43:51

BuiltIn

Security Center

Deploy-Diagnostics-DataFactory

[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines

Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major, suffix remains equal (2.0.1-preview > 3.0.0-preview)

2022-12-21 17:43:51

BuiltIn

Monitoring

[Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2022-12-16 16:17:44

ALZ

Monitoring

c9c29499-c1d1-4195-99bd-2ec9e3a9dc89

Deploy Diagnostic Settings for Network Security Groups

This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created.

Fixed
deployIfNotExists

change

Patch (2.0.0 > 2.0.1)

2022-12-09 17:45:23

BuiltIn

SQL

ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9

Vulnerability assessment should be enabled on your SQL servers

Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-12-09 17:45:23

BuiltIn

Monitoring

Deploy-Diagnostics-LogAnalytics

[Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-11-22 22:17:43

ALZ

Monitoring

Deploy-Sql-SecurityAlertPolicies

[Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2022-11-21 21:17:43

ALZ

SQL

Deploy-Sql-Tde

[Deprecated] Deploy SQL Database Transparent Data Encryption

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

Superseded by: Deploy SQL DB transparent data encryption (86a912f6-9a06-4e26-b447-11b16ba8659f) BuiltIn

2022-11-17 17:17:42

ALZ

SQL

Deploy SQL Database security Alert Policies configuration with email admin accounts

Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.1)

2022-11-17 17:17:42

ALZ

Network

Deny-PublicIP

[Deprecated] Deny the creation of public IP

[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.

Default
Deny
Allowed
Audit, Deny, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Not allowed resource types (6c112d4e-5bc7-47ae-a041-ea2d9dccd749) BuiltIn

2022-11-14 14:17:43

ALZ

Security Center

689f7782-ef2c-4270-a6d0-7664869076bd

Configure Microsoft Defender CSPM to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-11-04 17:41:52

BuiltIn

Monitoring

1f90fc71-a595-4066-8974-d4d0802e8ef0

Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2022-11-04 17:41:52

BuiltIn

Security Center

Microsoft Defender CSPM should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-11-04 17:41:52

BuiltIn

Monitoring

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2022-11-04 17:41:52

BuiltIn

Monitoring

Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2022-11-04 17:41:52

BuiltIn

Cognitive Services

Deploy-Nsg-FlowLogs-to-LA

[Deprecated]: Cognitive Services accounts should disable public network access

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-11-04 17:41:52

BuiltIn

Network

Deploy-DDoSProtection

Deploy an Azure DDoS Network Protection

Deploys an Azure DDoS Network Protection

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-11-03 03:17:41

ALZ

Monitoring

[Deprecated] Deploys NSG flow logs and traffic analytics to Log Analytics

[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to Log Analytics with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 005
•Contributor
•Log Analytics Contributor
•Network Contributor
•Storage Account Contributor
•Storage Account Key Operator Service Role

change

Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated)

Superseded by: Configure network security groups to enable traffic analytics (e920df7f-9a64-4066-9b58-52684c02a091) BuiltIn

2022-11-02 02:17:41

ALZ

Monitoring

Deploy-Nsg-FlowLogs

[Deprecated] Deploys NSG flow logs and traffic analytics

[Deprecated] Deprecated by built-in policy. Deploys NSG flow logs and traffic analytics to a storageaccountid with a specified retention period. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure network security groups to enable traffic analytics (e920df7f-9a64-4066-9b58-52684c02a091) BuiltIn

2022-11-02 02:17:41

ALZ

Machine Learning

Azure Machine Learning Computes should have local authentication methods disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-10-28 16:42:53

BuiltIn

Machine Learning

Configure Azure Machine Learning Computes to disable local authentication methods

Default
Modify
Allowed
Modify, Disabled

change

Major (1.0.0 > 2.0.0)

2022-10-28 16:42:53

BuiltIn

Azure Update Manager

5485eac0-7e8f-4964-998b-a44f4f0c1e75

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-10-28 16:42:53

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should not run as ContainerAdministrator

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-10-28 16:42:53

BuiltIn

Security Center

938c4981-c2c9-4168-9cd6-972b8675f906

Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-10-28 16:42:53

BuiltIn

Automation

dea83a72-443c-4292-83d5-54a2f98749c0

Automation Account should have Managed Identity

Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code .

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-10-28 16:42:53

BuiltIn

Monitoring

Deploy-Diagnostics-SQLElasticPools

[Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-TrafficManager

[Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-EventGridSystemTopic

[Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-CosmosDB

[Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-SQLMI

[Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-HDInsight

[Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-ACI

[Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-DataExplorerCluster

[Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-FrontDoor

[Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-VirtualNetwork

[Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-WVDWorkspace

[Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.1)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-MlWorkspace

[Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-EventGridTopic

[Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-NIC

[Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-PostgreSQL

[Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-WebServerFarm

[Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-LogicAppsISE

[Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-AnalysisService

[Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-DLAnalytics

[Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-ApplicationGateway

[Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-Function

[Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2022-10-25 25:16:43

ALZ

Monitoring

[Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-RedisCache

[Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-MariaDB

[Deprecated] Diagnostic Settings for MariaDB to Log Analytics Workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-WVDAppGroup

[Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.1)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-ExpressRoute

[Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-LoadBalancer

[Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-Website

[Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-VMSS

[Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-TimeSeriesInsights

[Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-CDNEndpoints

[Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-NetworkSecurityGroups

[Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-Relay

[Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-ApiForFHIR

[Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-Firewall

[Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-EventGridSub

[Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-SignalR

[Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-VNetGW

[Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-PowerBIEmbedded

[Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-ACR

[Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-VM

[Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-APIMgmt

[Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-AVDScalingPlans

[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-MySQL

[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-AA

[Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-DataFactory

[Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-iotHub

[Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-CognitiveServices

[Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-MediaService

[Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

Deploy-Diagnostics-Bastion

[Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Monitoring

[Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-25 25:16:43

ALZ

Kubernetes

[Preview]: Kubernetes clusters should restrict creation of given resource type

Given Kubernetes resource type should not be deployed in certain namespace.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview)

2022-10-21 16:42:13

BuiltIn

Kubernetes

e3905a3c-97e7-0b4f-15fb-465c0927536f

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2022-10-21 16:42:13

BuiltIn

Regulatory Compliance

Correlate Vulnerability scan information

CMA_C1558 - Correlate Vulnerability scan information

Default
Manual
Allowed
Manual, Disabled

change

Patch (1.1.0 > 1.1.1)

2022-10-21 16:42:13

BuiltIn

Regulatory Compliance

a3e98638-51d4-4e28-910a-60e98c1a756f

Configure Azure Audit capabilities

CMA_C1108 - Configure Azure Audit capabilities

Default
Manual
Allowed
Manual, Disabled

change

Patch (1.1.0 > 1.1.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (8.0.0 > 8.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes resources should have required annotations

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-10-21 16:42:13

BuiltIn

SQL

[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access

Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (2.0.0 > 2.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.0 > 7.0.1)

2022-10-21 16:42:13

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2022-10-21 16:42:13

BuiltIn

Kubernetes

89f2d532-c53c-4f8f-9afa-4927b1114a0d

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Azure Kubernetes Service Clusters should disable Command Invoke

Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

450d2877-ebea-41e8-b00c-e286317d21bf

Kubernetes cluster containers should only use allowed pull policy

Restrict containers' pull policy to enforce containers to use only allowed images on deployments

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-10-21 16:42:13

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machines

Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed.

Fixed
deployIfNotExists

change

Major (4.0.0 > 5.0.0)

2022-10-21 16:42:13

BuiltIn

Azure Update Manager

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2022-10-21 16:42:13

BuiltIn

Kubernetes

41425d9f-d1a5-499a-9932-f8ed8453932c

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.0 > 7.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host

To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should only run with approved user and domain user group

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

8a04f872-51e9-4313-97fb-fc1c35430fd8

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2022-10-21 16:42:13

BuiltIn

Monitoring

Azure Front Door should have Resource logs enabled

Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.0 > 7.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

8a04f872-51e9-4313-97fb-fc1c3543011c

Ensure cluster containers have readiness or liveness probes configured

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-10-21 16:42:13

BuiltIn

Monitoring

Azure Application Gateway should have Resource logs enabled

Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2022-10-21 16:42:13

BuiltIn

Azure Update Manager

Machines should be configured to periodically check for missing system updates

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-10-21 16:42:13

BuiltIn

Automanage

[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix changed: new suffix: deprecated; old suffix: version (4.1.0-version-deprecated > 4.1.1-deprecated)

2022-10-21 16:42:13

BuiltIn

Kubernetes

7d7be79c-23ba-4033-84dd-45e2a5ccdd67

Kubernetes cluster should not use naked pods

Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys

Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

0dcbaf2f-075e-947b-8f4c-74ecc5cd302c

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (8.0.0 > 8.0.1)

2022-10-21 16:42:13

BuiltIn

Regulatory Compliance

Identify individuals with security roles and responsibilities

CMA_C1566 - Identify individuals with security roles and responsibilities

Default
Manual
Allowed
Manual, Disabled

change

Patch (1.1.0 > 1.1.1)

2022-10-21 16:42:13

BuiltIn

Storage

Configure diagnostic settings for Table Services to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-10-21 16:42:13

BuiltIn

Storage

Configure diagnostic settings for File Services to Log Analytics workspace

Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-10-21 16:42:13

BuiltIn

Kubernetes

f33c3238-11d2-508c-877c-4262ec1132e1

Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit

Default
Audit
Allowed
Audit, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-10-21 16:42:13

BuiltIn

Regulatory Compliance

Recover and reconstitute resources after any disruption

CMA_C1295 - Recover and reconstitute resources after any disruption

Default
Manual
Allowed
Manual, Disabled

change

Patch (1.1.0 > 1.1.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (9.0.0 > 9.0.1)

2022-10-21 16:42:13

BuiltIn

Monitoring

f801d58e-5659-9a4a-6e8d-02c9334732e5

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2022-10-21 16:42:13

BuiltIn

Regulatory Compliance

Restore resources to operational state

CMA_C1297 - Restore resources to operational state

Default
Manual
Allowed
Manual, Disabled

change

Patch (1.1.0 > 1.1.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2022-10-21 16:42:13

BuiltIn

Automanage

Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (2.2.0 > 2.3.0)

2022-10-21 16:42:13

BuiltIn

Automanage

Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

46238e2f-3f6f-4589-9f3f-77bed4116e67

Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Azure Kubernetes Clusters should use Azure CNI

Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Disable Command Invoke on Azure Kubernetes Service clusters

Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Patch (1.0.0 > 1.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (9.0.0 > 9.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (8.0.0 > 8.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (9.0.0 > 9.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.0 > 7.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (8.0.0 > 8.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

[Deprecated]: Kubernetes clusters should gate deployment of vulnerable images

This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

62fa14f0-4cbe-762d-5469-0899a99b98aa

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2022-10-21 16:42:13

BuiltIn

Regulatory Compliance

Explicitly notify use of collaborative computing devices

CMA_C1649 - Explicitly notify use of collaborative computing devices

Default
Manual
Allowed
Manual, Disabled

change

Patch (1.1.0 > 1.1.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

993c2fcd-2b29-49d2-9eb0-df2c3a730c32

Azure Kubernetes Service Clusters should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

da6e2401-19da-4532-9141-fb8fbde08431

Azure Kubernetes Service Clusters should use managed identities

Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-10-21 16:42:13

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets

Fixed
deployIfNotExists

change

Major (4.0.0 > 5.0.0)

2022-10-21 16:42:13

BuiltIn

Kubernetes

22a02c9a-49e4-5dc9-0d14-eb35ad717154

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2022-10-21 16:42:13

BuiltIn

Regulatory Compliance

Obtain design and implementation information for the security controls

CMA_C1576 - Obtain design and implementation information for the security controls

Default
Manual
Allowed
Manual, Disabled

change

Patch (1.1.0 > 1.1.1)

2022-10-21 16:42:13

BuiltIn

Storage

Configure diagnostic settings for Blob Services to Log Analytics workspace

Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-10-21 16:42:13

BuiltIn

Storage

Configure diagnostic settings for Storage Accounts to Log Analytics workspace

Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-10-21 16:42:13

BuiltIn

Storage

Configure diagnostic settings for Queue Services to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should not overcommit cpu and memory

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

040732e8-d947-40b8-95d6-854c95024bf8

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.0 > 7.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

Azure Kubernetes Service Private Clusters should be enabled

Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-10-21 16:42:13

BuiltIn

Kubernetes

2d048aca-6479-4923-88f5-e2ac295d9af3

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2022-10-21 16:42:13

BuiltIn

App Service

App Service Environment apps should not be reachable over public internet

To ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2022-10-14 16:34:37

BuiltIn

Guest Configuration

63594bb8-43bb-4bf0-bbf8-c67e5c28cb65

[Preview]: Linux machines should meet STIG compliance requirement for Azure compute

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-14 16:34:37

BuiltIn

App Service

63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7

[Deprecated]: App Services should disable public network access

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-10-07 16:34:28

BuiltIn

Monitoring

a08ae1ab-8d1d-422b-a123-df82b307ba61

Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.1-preview > 2.0.0-preview)

2022-10-07 16:34:28

BuiltIn

App Service

App Service app slots should have remote debugging turned off

Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

Azure Arc

55c4db33-97b0-437b-8469-c4f4498f5df9

Configure Azure Arc Private Link Scopes to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Arc Private Link Scopes. Learn more at: https://aka.ms/arc/privatelink.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.2.0)

2022-10-07 16:34:28

BuiltIn

App Service

fa3a6357-c6d6-4120-8429-855577ec0063

Configure Function app slots to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

2374605e-3e0b-492b-9046-229af202562c

Configure App Service apps to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

0f98368e-36bc-4716-8ac2-8f8067203b63

Configure App Service apps to only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Modify
Allowed
Modify, Disabled

change

Major (1.0.0 > 2.0.0)

2022-10-07 16:34:28

BuiltIn

App Service

ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d

Configure App Service apps to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-10-07 16:34:28

BuiltIn

App Service

1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0

Function apps should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-10-07 16:34:28

BuiltIn

App Service

Configure Function apps to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-10-07 16:34:28

BuiltIn

App Service

deb528de-8f89-4101-881c-595899253102

Function app slots should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

Azure Arc

d6eeba80-df61-4de5-8772-bc1b7852ba6b

Configure Azure Arc Private Link Scopes with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Arc Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/arc/privatelink.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 003
•Azure Connected Machine Resource Administrator
•Kubernetes Cluster - Azure Arc Onboarding
•Network Contributor

change

Major (1.0.0 > 2.0.0)

2022-10-07 16:34:28

BuiltIn

Azure Arc

12e7176a-4919-47ef-922b-34eda4c7f0ce

Azure Arc-enabled kubernetes clusters should be configured with an Azure Arc Private Link Scope

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

08cf2974-d178-48a0-b26d-f6b8e555748b

Configure Function app slots to only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Modify
Allowed
Modify, Disabled

change

Major (1.0.0 > 2.0.0)

2022-10-07 16:34:28

BuiltIn

App Service

70adbb40-e092-42d5-a6f8-71c540a5efdb

Configure Function app slots to turn off remote debugging

Remote debugging requires inbound ports to be opened on a Function app. Remote debugging should be turned off.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

1b5ef780-c53c-4a64-87f3-bb9c8c8094ba

App Service apps should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-10-07 16:34:28

BuiltIn

App Service

App Service apps should disable public network access

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-10-07 16:34:28

BuiltIn

Monitoring

d639b3af-a535-4bef-8dcf-15078cddf5e2

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.1-preview > 2.0.0-preview)

2022-10-07 16:34:28

BuiltIn

App Service

App Service app slots should have resource logs enabled

Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

cd794351-e536-40f4-9750-503a463d8cad

Configure Function apps to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

cca5adfe-626b-4cc6-8522-f5b6ed2391bd

Configure App Service app slots to turn off remote debugging

Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

c6c3e00e-d414-4ca4-914f-406699bb8eee

Configure App Service app slots to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

89691ef9-8c50-49a8-8950-9c7fba41699e

Function app slots should have remote debugging turned off

Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

Synapse

c3624673-d2ff-48e0-b28c-5de1c6767c3c

Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

fa98f1b1-1f56-4179-9faf-93ad82f3458f

Function app slots should use latest 'HTTP Version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

242222f3-4985-4e99-b5ef-086d6a6cb01c

Function apps should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (4.0.0 > 5.0.0)

2022-10-07 16:34:28

BuiltIn

App Service

Configure Function app slots to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

969ac98b-88a8-449f-883c-2e9adb123127

Function apps should disable public network access

Disabling public network access improves security by ensuring that the Function app is not exposed on the public internet. Creating private endpoints can limit exposure of a Function App. Learn more at: https://aka.ms/app-service-private-endpoint.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

81dff7c0-4020-4b58-955d-c076a2136b56

[Deprecated]: Configure App Services to disable public network access

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-10-07 16:34:28

BuiltIn

App Service

701a595d-38fb-4a66-ae6d-fb3735217622

App Service app slots should disable public network access

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

cb3738a6-82a2-4a18-b87b-15217b9deff4

Function apps should use latest 'HTTP Version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-10-07 16:34:28

BuiltIn

Synapse

Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer

Setting TLS version to 1.2 or newer improves security by ensuring your Azure Synapse workspace SQL server can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-07 16:34:28

BuiltIn

App Service

a18c77f2-3d6d-497a-9f61-849a7e8a3b79

Configure App Service app slots to only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Modify
Allowed
Modify, Disabled

change

Major (1.0.0 > 2.0.0)

2022-10-07 16:34:28

BuiltIn

App Service

ab9ca4fc-5d29-4c62-bbad-018df1f5f0dd

[Deprecated]: App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network

By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

Synapse

2158ddbe-fefa-408e-b43f-d4faef8ff3b8

Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

Health Data Services workspace

64528841-2f92-43f6-a137-d52e5c3dbeac

Azure Health Data Services workspace should use private link

Health Data Services workspace should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/healthcareapisprivatelink.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

4ee5b817-627a-435a-8932-116193268172

App Service app slots should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

Kubernetes

dbbdc317-9734-4dd8-9074-993b29c69008

Azure Kubernetes Clusters should enable Key Management Service (KMS)

Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

Azure Arc

4002015b-1272-4dfb-8943-fed4aeec39b6

Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

ae1b9a8c-dfce-4605-bd91-69213b4a26fc

App Service app slots should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (1.0.0 > 2.0.0)

2022-10-07 16:34:28

BuiltIn

App Service

11c82d0c-db9f-4d7b-97c5-f3f9aa957da2

Function app slots should disable public network access

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

014664e7-e348-41a3-aeb9-566e4ff6a9df

Configure App Service app slots to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71

Function app slots should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (1.0.0 > 2.0.0)

2022-10-07 16:34:28

BuiltIn

App Service

4a15c15f-90d5-4a1f-8b63-2903944963fd

App Service apps should use latest 'HTTP Version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-10-07 16:34:28

BuiltIn

App Service

App Service app slots should use managed identity

Use a managed identity for enhanced authentication security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

App Service

a096cbd0-4693-432f-9374-682f485f23f3

Configure Function apps to only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Modify
Allowed
Modify, Disabled

change

Major (1.0.0 > 2.0.0)

2022-10-07 16:34:28

BuiltIn

Synapse

8b5c654c-fb07-471b-aa8f-15fea733f140

Configure Azure Synapse Workspace Dedicated SQL minimum TLS version

Customers can raise or lower the minimal TLS version using the API, for both new Synapse workspaces or existing workspaces. So users who need to use a lower client version in the workspaces can connect while users who has security requirement can raise the minimum TLS version. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings.

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-10-07 16:34:28

BuiltIn

App Service

4dcfb8b5-05cd-4090-a931-2ec29057e1fc

App Service apps should use a SKU that supports private link

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (4.0.0 > 4.0.1)

2022-10-07 16:34:28

BuiltIn

App Service

App Service app slots should use latest 'HTTP Version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-10-07 16:34:28

BuiltIn

SQL

a4af4a39-4135-47fb-b175-47fbdf85311d

[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2022-10-07 16:34:28

BuiltIn

App Service

App Service apps should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (3.0.0 > 4.0.0)

2022-10-07 16:34:28

BuiltIn

Monitoring

7f89b1eb-583c-429a-8828-af049802c1d9

Audit diagnostic setting for selected resource types

Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.

Fixed
AuditIfNotExists

change

Major (1.1.0 > 2.0.0)

2022-10-05 16:36:28

BuiltIn

Security Center

[Deprecated]: Azure Security agent should be installed on your Windows virtual machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-09-30 16:34:23

BuiltIn

Security Center

[Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-09-30 16:34:23

BuiltIn

Security Center

cfaf0007-99c7-4b01-b36b-4048872ac978

[Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (6.0.0-preview > 7.0.0-preview)

2022-09-30 16:34:23

BuiltIn

Synapse

Azure Synapse Analytics dedicated SQL pools should enable encryption

Enable transparent data encryption for Azure Synapse Analytics dedicated SQL pools to protect data-at-rest and meet compliance requirements. Please note that enabling transparent data encryption for the pool may impact query performance. More details can refer to https://go.microsoft.com/fwlink/?linkid=2147714

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-30 16:34:23

BuiltIn

Guest Configuration

6654c8c4-e6f8-43f8-8869-54327af7ce32

Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-30 16:34:23

BuiltIn

Security Center

[Deprecated]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-09-30 16:34:23

BuiltIn

Security Center

e8794316-d918-4565-b57d-6b38a06381a0

[Deprecated]: Azure Security agent should be installed on your Linux virtual machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-09-30 16:34:23

BuiltIn

Security Center

[Deprecated]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-09-30 16:34:23

BuiltIn

Security Center

3dc5edcd-002d-444c-b216-e123bbfa37c0

[Deprecated]: Azure Security agent should be installed on your Windows virtual machine scale sets

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-09-30 16:34:23

BuiltIn

Guest Configuration

Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-30 16:34:23

BuiltIn

Security Center

62b52eae-c795-44e3-94e8-1b3d264766fb

[Deprecated]: Azure Security agent should be installed on your Linux virtual machine scale sets

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-09-30 16:34:23

BuiltIn

Regulatory Compliance

d25cbded-121e-0ed6-1857-dc698c9095b1

Take action in response to customer information

CMA_C1554 - Take action in response to customer information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

83eea3d3-0d2c-9ccd-1021-2111b29b2a62

Ensure system capable of dynamic isolation of resources

CMA_C1638 - Ensure system capable of dynamic isolation of resources

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b2d3e5a2-97ab-5497-565a-71172a729d93

Protect passwords with encryption

CMA_0408 - Protect passwords with encryption

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Security Center

b8dad106-6444-5f55-307e-1e1cc9723e39

[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

Ensure cryptographic mechanisms are under configuration management

CMA_C1199 - Ensure cryptographic mechanisms are under configuration management

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

fc26e2fd-3149-74b4-5988-d64bb90f8ef7

Separately store backup information

CMA_C1293 - Separately store backup information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2c6bee3a-2180-2430-440d-db3c7a849870

Document security operations

CMA_0202 - Document security operations

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

898a5781-2254-5a37-34c7-d78ea7c20d55

Publish SORNs for systems containing PII

CMA_C1862 - Publish SORNs for systems containing PII

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

058e9719-1ff9-3653-4230-23f76b6492e0

Enforce security configuration settings

CMA_0249 - Enforce security configuration settings

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

70fe686f-1f91-7dab-11bf-bca4201e183b

Review role group changes weekly

CMA_0476 - Review role group changes weekly

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e9c60c37-65b0-2d72-6c3c-af66036203ae

Review and update contingency planning policies and procedures

CMA_C1243 - Review and update contingency planning policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

41172402-8d73-64c7-0921-909083c086b0

Not allow for information systems to accompany with individuals

CMA_C1182 - Not allow for information systems to accompany with individuals

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e4e1f896-8a93-1151-43c7-0ad23b081ee2

Authorize, monitor, and control voip

CMA_0025 - Authorize, monitor, and control voip

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5023a9e7-8e64-2db6-31dc-7bce27f796af

Provide privacy notice to the public and to individuals

CMA_C1861 - Provide privacy notice to the public and to individuals

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

477bd136-7dd9-55f8-48ac-bae096b86a07

Develop POA&M

CMA_C1156 - Develop POA&M

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b5244f81-6cab-3188-2412-179162294996

Review publicly accessible content for nonpublic information

CMA_C1086 - Review publicly accessible content for nonpublic information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8e920169-739d-40b5-3f99-c4d855327bb2

Prohibit binary/machine-executable code

CMA_C1717 - Prohibit binary/machine-executable code

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

318b2bd9-9c39-9f8b-46a7-048401f33476

Address coding vulnerabilities

CMA_0003 - Address coding vulnerabilities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

096a7055-30cb-2db4-3fda-41b20ac72667

Require interconnection security agreements

CMA_C1151 - Require interconnection security agreements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a28323fe-276d-3787-32d2-cef6395764c4

Develop audit and accountability policies and procedures

CMA_0154 - Develop audit and accountability policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

92a7591f-73b3-1173-a09c-a08882d84c70

Identify actions allowed without authentication

CMA_0295 - Identify actions allowed without authentication

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1

Adhere to retention periods defined

CMA_0004 - Adhere to retention periods defined

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b8587fce-138f-86e8-33a3-c60768bf1da6

Automate remote maintenance activities

CMA_C1402 - Automate remote maintenance activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ba99d512-3baa-1c38-8b0b-ae16bbd34274

Test contingency plan at an alternate processing location

CMA_C1265 - Test contingency plan at an alternate processing location

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68

Conduct risk assessment and document its results

CMA_C1542 - Conduct risk assessment and document its results

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3f1216b0-30ee-1ac9-3899-63eb744e85f5

Obtain Admin documentation

CMA_C1580 - Obtain Admin documentation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2401b496-7f23-79b2-9f80-89bb5abf3d4a

Protect incident response plan

CMA_0405 - Protect incident response plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

59f7feff-02aa-6539-2cf7-bea75b762140

Develop access control policies and procedures

CMA_0144 - Develop access control policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

677e1da4-00c3-287a-563d-f4a1cf9b99a0

Conduct Risk Assessment

CMA_C1543 - Conduct Risk Assessment

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5b802722-71dd-a13d-2e7e-231e09589efb

Implement privileged access for executing vulnerability scanning activities

CMA_C1555 - Implement privileged access for executing vulnerability scanning activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6a379d74-903b-244a-4c44-838728bea6b0

Analyse data obtained from continuous monitoring

CMA_C1169 - Analyse data obtained from continuous monitoring

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6ab47bbf-867e-9113-7998-89b58f77326a

Respond to complaints, concerns, or questions timely

CMA_C1853 - Respond to complaints, concerns, or questions timely

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

34738025-5925-51f9-1081-f2d0060133ed

Information security and personal data protection

CMA_0332 - Information security and personal data protection

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

29acfac0-4bb4-121b-8283-8943198b1549

Review and update identification and authentication policies and procedures

CMA_C1299 - Review and update identification and authentication policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2927e340-60e4-43ad-6b5f-7a1468232cc2

Configure detection whitelist

CMA_0068 - Configure detection whitelist

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

76d66b5c-85e4-93f5-96a5-ebb2fad61dc6

Terminate customer controlled account credentials

CMA_C1022 - Terminate customer controlled account credentials

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

de077e7e-0cc8-65a6-6e08-9ab46c827b05

Produce, control and distribute asymmetric cryptographic keys

CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

33832848-42ab-63f3-1a55-c0ad309d44cd

Implement an automated configuration management tool

CMA_0311 - Implement an automated configuration management tool

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2af551d5-1775-326a-0589-590bfb7e9eb2

Limit privileges to make changes in production environment

CMA_C1206 - Limit privileges to make changes in production environment

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ffea18d9-13de-6505-37f3-4c1f88070ad7

Review cloud service provider's compliance with policies and agreements

CMA_0469 - Review cloud service provider's compliance with policies and agreements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8f835d6a-4d13-9a9c-37dc-176cebd37fda

Document wireless access security controls

CMA_C1695 - Document wireless access security controls

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b1666a13-8f67-9c47-155e-69e027ff6823

Enforce mandatory and discretionary access control policies

CMA_0246 - Enforce mandatory and discretionary access control policies

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c7e8ddc1-14aa-1814-7fe1-aad1742b27da

Enforce expiration of cached authenticators

CMA_C1343 - Enforce expiration of cached authenticators

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5e4e9685-3818-5934-0071-2620c4fa2ca5

Retain previous versions of baseline configs

CMA_C1181 - Retain previous versions of baseline configs

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0123edae-3567-a05a-9b05-b53ebe9d3e7e

View and configure system diagnostic data

CMA_0544 - View and configure system diagnostic data

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1ff03f2a-974b-3272-34f2-f6cd51420b30

Obscure feedback information during authentication process

CMA_C1344 - Obscure feedback information during authentication process

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

dd2523d5-2db3-642b-a1cf-83ac973b32c2

Establish benchmarks for flaw remediation

CMA_C1675 - Establish benchmarks for flaw remediation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

08ad71d0-52be-6503-4908-e015460a16ae

Require use of individual authenticators

CMA_C1305 - Require use of individual authenticators

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

873895e8-0e3a-6492-42e9-22cd030e9fcd

Restrict access to privileged accounts

CMA_0446 - Restrict access to privileged accounts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb

Document customer-defined actions

CMA_C1582 - Document customer-defined actions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8a703eb5-4e53-701b-67e4-05ba2f7930c8

Separate user and information system management functionality

CMA_0493 - Separate user and information system management functionality

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f7eb1d0b-6d4f-2d59-1591-7563e11a9313

Define and enforce conditions for shared and group accounts

CMA_0117 - Define and enforce conditions for shared and group accounts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5f2e834d-7e40-a4d5-a216-e49b16955ccf

Establish requirements for internet service providers

CMA_0278 - Establish requirements for internet service providers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

cb8841d4-9d13-7292-1d06-ba4d68384681

Perform a business impact assessment and application criticality assessment

CMA_0386 - Perform a business impact assessment and application criticality assessment

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b8689b2e-4308-a58b-a0b4-6f3343a000df

Use automated mechanisms for security alerts

CMA_C1707 - Use automated mechanisms for security alerts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

611ebc63-8600-50b6-a0e3-fef272457132

Employ independent team for penetration testing

CMA_C1171 - Employ independent team for penetration testing

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f

Perform vulnerability scans

CMA_0393 - Perform vulnerability scans

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

dc7ec756-221c-33c8-0afe-c48e10e42321

Verify security controls for external information systems

CMA_0541 - Verify security controls for external information systems

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

055da733-55c6-9e10-8194-c40731057ec4

Develop and maintain a vulnerability management standard

CMA_0152 - Develop and maintain a vulnerability management standard

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c423e64d-995c-9f67-0403-b540f65ba42a

Assess Security Controls

CMA_C1145 - Assess Security Controls

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

836f8406-3b8a-11bb-12cb-6c7fa0765668

Develop configuration item identification plan

CMA_C1231 - Develop configuration item identification plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

575ed5e8-4c29-99d0-0e4d-689fb1d29827

Automate approval request for proposed changes

CMA_C1192 - Automate approval request for proposed changes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c72fc0c8-2df8-7506-30be-6ba1971747e1

Automate implementation of approved change notifications

CMA_C1196 - Automate implementation of approved change notifications

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d9af7f88-686a-5a8b-704b-eafdab278977

Obtain legal opinion for monitoring system activities

CMA_C1688 - Obtain legal opinion for monitoring system activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

18e9d748-73d4-0c96-55ab-b108bfbd5bc3

Notify personnel of any failed security verification tests

CMA_C1710 - Notify personnel of any failed security verification tests

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

79f081c7-1634-01a1-708e-376197999289

Review user accounts

CMA_0480 - Review user accounts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c246d146-82b0-301f-32e7-1065dcd248b7

Review changes for any unauthorized changes

CMA_C1204 - Review changes for any unauthorized changes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5bac5fb7-7735-357b-767d-02264bfe5c3b

Perform all non-local maintenance

CMA_C1417 - Perform all non-local maintenance

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Security Center

1cb4d9c2-f88f-4069-bee0-dba239a57b09

[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines

Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Windows virtual machines.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3bd4e0af-7cbb-a3ec-4918-056a3c017ae2

Keep SORNs updated

CMA_C1863 - Keep SORNs updated

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b6ad009f-5c24-1dc0-a25e-74b60e4da45f

Control maintenance and repair activities

CMA_0080 - Control maintenance and repair activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0f4fa857-079d-9d3d-5c49-21f616189e03

Provide real-time alerts for audit event failures

CMA_C1114 - Provide real-time alerts for audit event failures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

00f12b6f-10d7-8117-9577-0f2b76488385

Integrate risk management process into SDLC

CMA_C1567 - Integrate risk management process into SDLC

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

13efd2d7-3980-a2a4-39d0-527180c009e8

Document security assurance requirements in acquisition contracts

CMA_0199 - Document security assurance requirements in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

dad1887d-161b-7b61-2e4d-5124a7b5724e

Measure the time between flaw identification and flaw remediation

CMA_C1674 - Measure the time between flaw identification and flaw remediation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Security Center

cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2

[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

Create alternative actions for identified anomalies

CMA_C1711 - Create alternative actions for identified anomalies

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f27a298f-9443-014a-0d40-fef12adf0259

Review administrator assignments weekly

CMA_0461 - Review administrator assignments weekly

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ced727b3-005e-3c5b-5cd5-230b79d56ee8

Implement a fault tolerant name/address service

CMA_0305 - Implement a fault tolerant name/address service

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Security Center

524e7136-9f6a-75ba-9089-501018151346

[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

Document security and privacy training activities

CMA_0198 - Document security and privacy training activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

33602e78-35e3-4f06-17fb-13dd887448e4

Conduct capacity planning

CMA_C1252 - Conduct capacity planning

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Security Center

eab4450d-9e5c-4f38-0656-2ff8c78c83f3

[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines

Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment applies to Trusted Launch and Confidential Linux virtual machines.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

Document and implement privacy complaint procedures

CMA_0189 - Document and implement privacy complaint procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

be1c34ab-295a-07a6-785c-36f63c1d223e

Obtain user security function documentation

CMA_C1581 - Obtain user security function documentation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8c255136-994b-9616-79f5-ae87810e0dcf

Enable network protection

CMA_0238 - Enable network protection

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8b333332-6efd-7c0d-5a9f-d1eb95105214

Employ FIPS 201-approved technology for PIV

CMA_C1579 - Employ FIPS 201-approved technology for PIV

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b262e1dd-08e9-41d4-963a-258909ad794b

Implement managed interface for each external service

CMA_C1626 - Implement managed interface for each external service

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6f3866e8-6e12-69cf-788c-809d426094a1

Establish electronic signature and certificate requirements

CMA_0271 - Establish electronic signature and certificate requirements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b8972f60-8d77-1cb8-686f-9c9f4cdd8a59

Use dedicated machines for administrative tasks

CMA_0527 - Use dedicated machines for administrative tasks

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b28c8687-4bbd-8614-0b96-cdffa1ac6d9c

Review and update incident response policies and procedures

CMA_C1352 - Review and update incident response policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

46ab2c5e-6654-1f58-8c83-e97a44f39308

Identify external service providers

CMA_C1591 - Identify external service providers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

09960521-759e-5d12-086f-4192a72a5e92

Protect administrator and user documentation

CMA_C1583 - Protect administrator and user documentation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7a114735-a420-057d-a651-9a73cd0416ef

Require developers to provide unified security protection approach

CMA_C1614 - Require developers to provide unified security protection approach

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e4b00788-7e1c-33ec-0418-d048508e095b

Implement training for protecting authenticators

CMA_0329 - Implement training for protecting authenticators

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

77acc53d-0f67-6e06-7d04-5750653d4629

Document the protection of cardholder data in third party contracts

CMA_0207 - Document the protection of cardholder data in third party contracts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

94c842e3-8098-38f9-6d3f-8872b790527d

Remove or redact any PII

CMA_C1833 - Remove or redact any PII

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7ded6497-815d-6506-242b-e043e0273928

Plan for resumption of essential business functions

CMA_C1253 - Plan for resumption of essential business functions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f96d2186-79df-262d-3f76-f371e3b71798

Review user privileges

CMA_C1039 - Review user privileges

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8e49107c-3338-40d1-02aa-d524178a2afe

Deliver security assessment results

CMA_C1147 - Deliver security assessment results

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1c258345-5cd4-30c8-9ef3-5ee4dd5231d6

Develop security assessment plan

CMA_C1144 - Develop security assessment plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

34aac8b2-488a-2b96-7280-5b9b481a317a

Incorporate flaw remediation into configuration management

CMA_C1671 - Incorporate flaw remediation into configuration management

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5fe84a4c-1b0c-a738-2aba-ed49c9069d3b

Prohibit unfair practices

CMA_0396 - Prohibit unfair practices

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7d7a8356-5c34-9a95-3118-1424cfaf192a

Adopt biometric authentication mechanisms

CMA_0005 - Adopt biometric authentication mechanisms

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b7306e73-0494-83a2-31f5-280e934a8f70

Develop and document a DDoS response plan

CMA_0147 - Develop and document a DDoS response plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0065241c-72e9-3b2c-556f-75de66332a94

Establish parameters for searching secret authenticators and verifiers

CMA_0274 - Establish parameters for searching secret authenticators and verifiers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e714b481-8fac-64a2-14a9-6f079b2501a4

Use privileged identity management

CMA_0533 - Use privileged identity management

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5715bf33-a5bd-1084-4e19-bc3c83ec1c35

Establish terms and conditions for processing resources

CMA_C1077 - Establish terms and conditions for processing resources

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c2eabc28-1e5c-78a2-a712-7cc176c44c07

Implement a penetration testing methodology

CMA_0306 - Implement a penetration testing methodology

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6c79c3e5-5f7b-a48a-5c7b-8c158bc01115

Ensure security categorization is approved

CMA_C1540 - Ensure security categorization is approved

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8b1da407-5e60-5037-612e-2caa1b590719

Record disclosures of PII to third parties

CMA_0422 - Record disclosures of PII to third parties

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9

Review and update personnel security policies and procedures

CMA_C1507 - Review and update personnel security policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f131c8c5-a54a-4888-1efc-158928924bc1

Require developers to build security architecture

CMA_C1612 - Require developers to build security architecture

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3e37c891-840c-3eb4-78d2-e2e0bb5063e0

Require developers to describe accurate security functionality

CMA_C1613 - Require developers to describe accurate security functionality

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

80029bc5-834f-3a9c-a2d8-acbc1aab4e9f

Employ restrictions on external system interconnections

CMA_C1155 - Employ restrictions on external system interconnections

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b11697e8-9515-16f1-7a35-477d5c8a1344

Protect data in transit using encryption

CMA_0403 - Protect data in transit using encryption

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

afd5d60a-48d2-8073-1ec2-6687e22f2ddd

Require notification of third-party personnel transfer or termination

CMA_C1532 - Require notification of third-party personnel transfer or termination

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3eabed6d-1912-2d3c-858b-f438d08d0412

Ensure external providers consistently meet interests of the customers

CMA_C1592 - Ensure external providers consistently meet interests of the customers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

aa892c0d-2c40-200c-0dd8-eac8c4748ede

Employ automatic emergency lighting

CMA_0209 - Employ automatic emergency lighting

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5decc032-95bd-2163-9549-a41aba83228e

Implement formal sanctions process

CMA_0317 - Implement formal sanctions process

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c148208b-1a6f-a4ac-7abc-23b1d41121b1

Document the information system environment in acquisition contracts

CMA_0205 - Document the information system environment in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0ba211ef-0e85-2a45-17fc-401d1b3f8f85

Document requirements for the use of shared data in contracts

CMA_0197 - Document requirements for the use of shared data in contracts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

585af6e9-90c0-4575-67a7-2f9548972e32

Review and reevaluate privileges

CMA_C1207 - Review and reevaluate privileges

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0fd1ca29-677b-2f12-1879-639716459160

Maintain data breach records

CMA_0351 - Maintain data breach records

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

29363ae1-68cd-01ca-799d-92c9197c8404

Manage authenticator lifetime and reuse

CMA_0355 - Manage authenticator lifetime and reuse

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b7897ddc-9716-2460-96f7-7757ad038cc4

Assign risk designations

CMA_0016 - Assign risk designations

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Security Center

1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4

[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (6.0.0-preview > 7.0.0-preview)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

Employ automatic shutdown/restart when violations are detected

CMA_C1715 - Employ automatic shutdown/restart when violations are detected

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3b30aa25-0f19-6c04-5ca4-bd3f880a763d

Implement parameters for memorized secret verifiers

CMA_0321 - Implement parameters for memorized secret verifiers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3153d9c0-2584-14d3-362d-578b01358aeb

Retain training records

CMA_0456 - Retain training records

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c7fddb0e-3f44-8635-2b35-dc6b8e740b7c

Identify and manage downstream information exchanges

CMA_0298 - Identify and manage downstream information exchanges

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

48c816c5-2190-61fc-8806-25d6f3df162f

Monitor access across the organization

CMA_0376 - Monitor access across the organization

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

22457e81-3ec6-5271-a786-c3ca284601dd

Isolate information spills

CMA_0346 - Isolate information spills

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4ce91e4e-6dab-3c46-011a-aa14ae1561bf

Maintain list of authorized remote maintenance personnel

CMA_C1420 - Maintain list of authorized remote maintenance personnel

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

72889284-15d2-90b2-4b39-a1e9541e1152

Verify identity before distributing authenticators

CMA_0538 - Verify identity before distributing authenticators

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

623b5f0a-8cbd-03a6-4892-201d27302f0c

Define information system account types

CMA_0121 - Define information system account types

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

97d91b33-7050-237b-3e23-a77d57d84e13

Issue public key certificates

CMA_0347 - Issue public key certificates

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b6b32f80-a133-7600-301e-398d688e7e0c

Evaluate and review PII holdings regularly

CMA_C1832 - Evaluate and review PII holdings regularly

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d78f95ba-870a-a500-6104-8a5ce2534f19

Document protection of security information in acquisition contracts

CMA_0195 - Document protection of security information in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ba78efc6-795c-64f4-7a02-91effbd34af9

Execute actions in response to information spills

CMA_0281 - Execute actions in response to information spills

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e7422f08-65b4-50e4-3779-d793156e0079

Develop a concept of operations (CONOPS)

CMA_0141 - Develop a concept of operations (CONOPS)

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

26daf649-22d1-97e9-2a8a-01b182194d59

Configure workstations to check for digital certificates

CMA_0073 - Configure workstations to check for digital certificates

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

279052a0-8238-694d-9661-bf649f951747

Identify contaminated systems and components

CMA_0300 - Identify contaminated systems and components

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

af227964-5b8b-22a2-9364-06d2cb9d6d7c

Develop information security policies and procedures

CMA_0158 - Develop information security policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5c33538e-02f8-0a7f-998b-a4c1e22076d3

Govern compliance of cloud service providers

CMA_0290 - Govern compliance of cloud service providers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0a24f5dc-8c40-94a7-7aee-bb7cd4781d37

Issue guidelines for ensuring data quality and integrity

CMA_C1824 - Issue guidelines for ensuring data quality and integrity

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

496b407d-9b9e-81e8-4ba4-44bc686b016a

Conduct exit interview upon termination

CMA_0058 - Conduct exit interview upon termination

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e1379836-3492-6395-451d-2f5062e14136

Identify and authenticate non-organizational users

CMA_C1346 - Identify and authenticate non-organizational users

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b269a749-705e-8bff-055a-147744675cdf

Conduct backup of information system documentation

CMA_C1289 - Conduct backup of information system documentation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

90a156a6-49ed-18d1-1052-69aac27c05cd

Allocate resources in determining information system requirements

CMA_C1561 - Allocate resources in determining information system requirements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

07b42fb5-027e-5a3c-4915-9d9ef3020ec7

Discover any indicators of compromise

CMA_C1702 - Discover any indicators of compromise

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d

Manage maintenance personnel

CMA_C1421 - Manage maintenance personnel

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ca748dfe-3e28-1d18-4221-89aea30aa0a5

Identify status of individual users

CMA_C1316 - Identify status of individual users

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b3c8cc83-20d3-3890-8bc8-5568777670f4

Establish requirements for audit review and reporting

CMA_0277 - Establish requirements for audit review and reporting

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a930f477-9dcb-2113-8aa7-45bb6fc90861

Review and update the events defined in AU-02

CMA_C1106 - Review and update the events defined in AU-02

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8747b573-8294-86a0-8914-49e9b06a5ace

Establish configuration management requirements for developers

CMA_0270 - Establish configuration management requirements for developers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2cc9c165-46bd-9762-5739-d2aae5ba90a1

Automate account management

CMA_0026 - Automate account management

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

97f0d974-1486-01e2-2088-b888f46c0589

Train personnel on disclosure of nonpublic information

CMA_C1084 - Train personnel on disclosure of nonpublic information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f3c17714-8ce7-357f-4af2-a0baa63a063f

Make SORNs available publicly

CMA_C1865 - Make SORNs available publicly

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b0e3035d-6366-2e37-796e-8bcab9c649e6

Establish a threat intelligence program

CMA_0260 - Establish a threat intelligence program

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e336d5f4-4d8f-0059-759c-ae10f63d1747

Enforce user uniqueness

CMA_0250 - Enforce user uniqueness

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

23d1a569-2d1e-7f43-9e22-1f94115b7dd5

Identify classes of Incidents and Actions taken

CMA_C1365 - Identify classes of Incidents and Actions taken

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

396f465d-375e-57de-58ba-021adb008191

Invalidate session identifiers at logout

CMA_C1661 - Invalidate session identifiers at logout

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

97cfd944-6f0c-7db2-3796-8e890ef70819

Establish conditions for role membership

CMA_0269 - Establish conditions for role membership

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0461cacd-0b3b-4f66-11c5-81c9b19a3d22

Verify inaccurate or outdated PII

CMA_C1823 - Verify inaccurate or outdated PII

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

efef28d0-3226-966a-a1e8-70e89c1b30bc

Retain security policies and procedures

CMA_0454 - Retain security policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e7589f4e-1e8b-72c2-3692-1e14d7f3699f

Ensure access agreements are signed or resigned timely

CMA_C1528 - Ensure access agreements are signed or resigned timely

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

25a1f840-65d0-900a-43e4-bee253de04de

Define requirements for managing assets

CMA_0125 - Define requirements for managing assets

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10

Disable authenticators upon termination

CMA_0169 - Disable authenticators upon termination

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6f311b49-9b0d-8c67-3d6e-db80ae528173

Bind authenticators and identities dynamically

CMA_0035 - Bind authenticators and identities dynamically

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

834b7a4a-83ab-2188-1a26-9c5033d8173b

Incorporate security and data privacy practices in research processing

CMA_0331 - Incorporate security and data privacy practices in research processing

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

10c4210b-3ec9-9603-050d-77e4d26c7ebb

Enforce logical access

CMA_0245 - Enforce logical access

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

95eb7d09-9937-5df9-11d9-20317e3f60df

Provide formal notice to individuals

CMA_C1864 - Provide formal notice to individuals

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ece8bb17-4080-5127-915f-dc7267ee8549

Verify security functions

CMA_C1708 - Verify security functions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e

Implement methods for consumer requests

CMA_0319 - Implement methods for consumer requests

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4

Define mobile device requirements

CMA_0122 - Define mobile device requirements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

59bedbdc-0ba9-39b9-66bb-1d1c192384e6

Control information flow

CMA_0079 - Control information flow

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6c0a312f-04c5-5c97-36a5-e56763a02b6b

Review and sign revised rules of behavior

CMA_0465 - Review and sign revised rules of behavior

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d8350d4c-9314-400b-288f-20ddfce04fbd

Define and enforce the limit of concurrent sessions

CMA_C1050 - Define and enforce the limit of concurrent sessions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

db28735f-518f-870e-15b4-49623cbe3aa0

Verify software, firmware and information integrity

CMA_0542 - Verify software, firmware and information integrity

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c2cb4658-44dc-9d11-3dad-7c6802dd5ba3

Generate error messages

CMA_C1724 - Generate error messages

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

db580551-0b3c-4ea1-8a4c-4cdb5feb340f

Provide the logout capability

CMA_C1055 - Provide the logout capability

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d91558ce-5a5c-551b-8fbb-83f793255e09

Route traffic through authenticated proxy network

CMA_C1633 - Route traffic through authenticated proxy network

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7d10debd-4775-85a7-1a41-7e128e0e8c50

Automate process to prohibit implementation of unapproved changes

CMA_C1194 - Automate process to prohibit implementation of unapproved changes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

81b6267b-97a7-9aa5-51ee-d2584a160424

Create separate alternate and primary storage sites

CMA_C1269 - Create separate alternate and primary storage sites

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

21832235-7a07-61f4-530d-d596f76e5b95

Implement security testing, training, and monitoring plans

CMA_C1753 - Implement security testing, training, and monitoring plans

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4e400494-53a5-5147-6f4d-718b539c7394

Manage compliance activities

CMA_0358 - Manage compliance activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a315c657-4a00-8eba-15ac-44692ad24423

Protect special information

CMA_0409 - Protect special information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

adf517f3-6dcd-3546-9928-34777d0c277e

Review and update system and communications protection policies and procedures

CMA_C1616 - Review and update system and communications protection policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c42f19c9-5d88-92da-0742-371a0ea03126

Clear personnel with access to classified information

CMA_0054 - Clear personnel with access to classified information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

84245967-7882-54f6-2d34-85059f725b47

Establish an information security program

CMA_0263 - Establish an information security program

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

eda0cbb7-6043-05bf-645b-67411f1a59b3

Ensure there are no unencrypted static authenticators

CMA_C1340 - Ensure there are no unencrypted static authenticators

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9ac8621d-9acd-55bf-9f99-ee4212cc3d85

Provide periodic role-based security training

CMA_C1095 - Provide periodic role-based security training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ad1d562b-a04b-15d3-6770-ed310b601cb5

Publish rules and regulations accessing Privacy Act records

CMA_C1847 - Publish rules and regulations accessing Privacy Act records

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ff136354-1c92-76dc-2dab-80fb7c6a9f1a

Observe and report security weaknesses

CMA_0384 - Observe and report security weaknesses

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4502e506-5f35-0df4-684f-b326e3cc7093

Terminate user session automatically

CMA_C1054 - Terminate user session automatically

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9e3c505e-7aeb-2096-3417-b132242731fc

Review content prior to posting publicly accessible information

CMA_C1085 - Review content prior to posting publicly accessible information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

af5ff768-a34b-720e-1224-e6b3214f3ba6

Establish an alternate processing site

CMA_0262 - Establish an alternate processing site

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c5784049-959f-6067-420c-f4cefae93076

Coordinate contingency plans with related plans

CMA_0086 - Coordinate contingency plans with related plans

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

74041cfe-3f87-1d17-79ec-34ca5f895542

Produce complete records of remote maintenance activities

CMA_C1403 - Produce complete records of remote maintenance activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

68a39c2b-0f17-69ee-37a3-aa10f9853a08

Establish voip usage restrictions

CMA_0280 - Establish voip usage restrictions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f8d141b7-4e21-62a6-6608-c79336e36bc9

Establish privacy requirements for contractors and service providers

CMA_C1810 - Establish privacy requirements for contractors and service providers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ee67c031-57fc-53d0-0cca-96c4c04345e8

Document and distribute a privacy policy

CMA_0188 - Document and distribute a privacy policy

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6228396e-2ace-7ca5-3247-45767dbf52f4

Notify personnel upon sanctions

CMA_0380 - Notify personnel upon sanctions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

37b0045b-3887-367b-8b4d-b9a6fa911bb9

Assess information security events

CMA_0013 - Assess information security events

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

171e377b-5224-4a97-1eaa-62a3b5231dac

Generate internal security alerts

CMA_C1704 - Generate internal security alerts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

84a01872-5318-049e-061e-d56734183e84

Distribute information system documentation

CMA_C1584 - Distribute information system documentation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0

Establish authenticator types and processes

CMA_0267 - Establish authenticator types and processes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

449ebb52-945b-36e5-3446-af6f33770f8f

Update the security authorization

CMA_C1160 - Update the security authorization

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6baae474-434f-2e91-7163-a72df30c4847

Manage security state of information systems

CMA_C1746 - Manage security state of information systems

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

fd81a1b3-2d7a-107c-507e-29b87d040c19

Enforce appropriate usage of all accounts

CMA_C1023 - Enforce appropriate usage of all accounts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a1334a65-2622-28ee-5067-9d7f5b915cc5

Communicate contingency plan changes

CMA_C1249 - Communicate contingency plan changes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2e7a98c9-219f-0d58-38dc-d69038224442

Protect the information security program plan

CMA_C1732 - Protect the information security program plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

22a02c9a-49e4-5dc9-0d14-eb35ad717154

Obtain design and implementation information for the security controls

CMA_C1576 - Obtain design and implementation information for the security controls

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

28aa060e-25c7-6121-05d8-a846f11433df

Review and update planning policies and procedures

CMA_C1491 - Review and update planning policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c0559109-6a27-a217-6821-5a6d44f92897

Maintain integrity of audit system

CMA_C1133 - Maintain integrity of audit system

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c6fe3856-4635-36b6-983c-070da12a953b

Implement the risk management strategy

CMA_C1744 - Implement the risk management strategy

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a8f9c283-9a66-3eb3-9e10-bdba95b85884

Run simulation attacks

CMA_0486 - Run simulation attacks

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4f23967c-a74b-9a09-9dc2-f566f61a87b9

Establish backup policies and procedures

CMA_0268 - Establish backup policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

01c387ea-383d-4ca9-295a-977fab516b03

Authorize remote access to privileged commands

CMA_C1064 - Authorize remote access to privileged commands

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

20762f1e-85fb-31b0-a600-e833633f10fe

Reveal error messages

CMA_C1725 - Reveal error messages

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

96333008-988d-4add-549b-92b3a8c42063

Update privacy plan, policies, and procedures

CMA_C1807 - Update privacy plan, policies, and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

50e9324a-7410-0539-0662-2c1e775538b7

Authorize and manage access

CMA_0023 - Authorize and manage access

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

13939f8c-4cd5-a6db-9af4-9dfec35e3722

Identify and mitigate potential issues at alternate storage site

CMA_C1271 - Identify and mitigate potential issues at alternate storage site

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

fad161f5-5261-401a-22dd-e037bae011bd

Review threat protection status weekly

CMA_0479 - Review threat protection status weekly

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5d3abfea-a130-1208-29c0-e57de80aa6b0

Review the results of contingency plan testing

CMA_C1262 - Review the results of contingency plan testing

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

069101ac-4578-31da-0cd4-ff083edd3eb4

Obtain consent prior to collection or processing of personal data

CMA_0385 - Obtain consent prior to collection or processing of personal data

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ef5a7059-6651-73b1-18b3-75b1b79c1565

Define information security roles and responsibilities

CMA_C1565 - Define information security roles and responsibilities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2d14ff7e-6ff9-838c-0cde-4962ccdb1689

Employ business case to record the resources required

CMA_C1735 - Employ business case to record the resources required

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

57adc919-9dca-817c-8197-64d812070316

Develop an enterprise architecture

CMA_C1741 - Develop an enterprise architecture

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4aacaec9-0628-272c-3e83-0d68446694e0

Manage Authenticators

CMA_C1321 - Manage Authenticators

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

44b71aa8-099d-8b97-1557-0e853ec38e0d

Obtain functional properties of security controls

CMA_C1575 - Obtain functional properties of security controls

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ffdaa742-0d6f-726f-3eac-6e6c34e36c93

Establish usage restrictions for mobile code technologies

CMA_C1652 - Establish usage restrictions for mobile code technologies

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

35de8462-03ff-45b3-5746-9d4603c74c56

Implement an insider threat program

CMA_C1751 - Implement an insider threat program

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e23444b9-9662-40f3-289e-6d25c02b48fa

Review label activity and analytics

CMA_0474 - Review label activity and analytics

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4e45863d-9ea9-32b4-a204-2680bc6007a6

Require external service providers to comply with security requirements

CMA_C1586 - Require external service providers to comply with security requirements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

678ca228-042d-6d8e-a598-c58d5670437d

Prohibit remote activation of collaborative computing devices

CMA_C1648 - Prohibit remote activation of collaborative computing devices

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

cbfa1bd0-714d-8d6f-0480-2ad6a53972df

Define and document government oversight

CMA_C1587 - Define and document government oversight

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

979ed3b6-83f9-26bc-4b86-5b05464700bf

Modify access authorizations upon personnel transfer

CMA_0374 - Modify access authorizations upon personnel transfer

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

dad8a2e9-6f27-4fc2-8933-7e99fe700c9c

Authorize remote access

CMA_0024 - Authorize remote access

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d36700f2-2f0d-7c2a-059c-bdadd1d79f70

Establish a risk management strategy

CMA_0258 - Establish a risk management strategy

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

518eafdd-08e5-37a9-795b-15a8d798056d

Provide privacy training

CMA_0415 - Provide privacy training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6b957f60-54cd-5752-44d5-ff5a64366c93

Develop SSP that meets criteria

CMA_C1492 - Develop SSP that meets criteria

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

92ede480-154e-0e22-4dca-8b46a74a3a51

Maintain records of processing of personal data

CMA_0353 - Maintain records of processing of personal data

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

12af7c7a-92af-9e96-0d0c-5e732d1a3751

Ensure information system fails in known state

CMA_C1662 - Ensure information system fails in known state

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

57927290-8000-59bf-3776-90c468ac5b4b

Document security functional requirements in acquisition contracts

CMA_0201 - Document security functional requirements in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Security Center

97566dd7-78ae-4997-8b36-1c7bfe0d8121

[Preview]: Secure Boot should be enabled on supported Windows virtual machines

Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines.

Default
Audit
Allowed
Audit, Disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

56fb5173-3865-5a5d-5fad-ae33e53e1577

Address information security issues

CMA_C1742 - Address information security issues

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

37dbe3dc-0e9c-24fa-36f2-11197cbfa207

Ensure authorized users protect provided authenticators

CMA_C1339 - Ensure authorized users protect provided authenticators

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

91cf132e-0c9f-37a8-a523-dc6a92cd2fb2

Review and update physical and environmental policies and procedures

CMA_C1446 - Review and update physical and environmental policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

dbcef108-7a04-38f5-8609-99da110a2a57

Determine information protection needs

CMA_C1750 - Determine information protection needs

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e603da3a-8af7-4f8a-94cb-1bcc0e0333d2

Manage the input, output, processing, and storage of data

CMA_0369 - Manage the input, output, processing, and storage of data

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

10874318-0bf7-a41f-8463-03e395482080

Correlate audit records

CMA_0087 - Correlate audit records

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

68d2e478-3b19-23eb-1357-31b296547457

Enforce software execution privileges

CMA_C1041 - Enforce software execution privileges

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8b077bff-516f-3983-6c42-c86e9a11868b

Designate individuals to fulfill specific roles and responsibilities

CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7bdb79ea-16b8-453e-4ca4-ad5b16012414

Transfer backup information to an alternate storage site

CMA_C1294 - Transfer backup information to an alternate storage site

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

82bd024a-5c99-05d6-96ff-01f539676a1a

Monitor security and privacy training completion

CMA_0379 - Monitor security and privacy training completion

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

14a4fd0a-9100-1e12-1362-792014a28155

Update contingency plan

CMA_C1248 - Update contingency plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

245fe58b-96f8-9f1e-48c5-7f49903f66fd

Establish alternate storage site that facilitates recovery operations

CMA_C1270 - Establish alternate storage site that facilitates recovery operations

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3ad7f0bc-3d03-0585-4d24-529779bb02c2

Maintain availability of information

CMA_C1644 - Maintain availability of information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0040d2e5-2779-170d-6a2c-1f5fca353335

Restrict location of information processing, storage and services

CMA_C1593 - Restrict location of information processing, storage and services

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e29a8f1b-149b-2fa3-969d-ebee1baa9472

Assign an authorizing official (AO)

CMA_C1158 - Assign an authorizing official (AO)

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c4ccd607-702b-8ae6-8eeb-fc3339cd4b42

Define cryptographic use

CMA_0120 - Define cryptographic use

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f33c3238-11d2-508c-877c-4262ec1132e1

Recover and reconstitute resources after any disruption

CMA_C1295 - Recover and reconstitute resources after any disruption

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Monitoring

383c45fa-8b64-4d1c-aa9f-e69d2d879aa4

The legacy Log Analytics extension should not be installed on Linux virtual machine scale sets

Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA

Default
Audit
Allowed
Deny, Audit, Disabled

add

new Policy

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1afada58-8b34-7ac2-a38a-983218635201

Define acceptable and unacceptable mobile code technologies

CMA_C1651 - Define acceptable and unacceptable mobile code technologies

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

08c11b48-8745-034d-1c1b-a144feec73b9

Restrict use of open source software

CMA_C1237 - Restrict use of open source software

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

db8b35d6-8adb-3f51-44ff-c648ab5b1530

Employ FICAM-approved resources to accept third-party credentials

CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b53aa659-513e-032c-52e6-1ce0ba46582f

Configure actions for noncompliant devices

CMA_0062 - Configure actions for noncompliant devices

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9c93ef57-7000-63fb-9b74-88f2e17ca5d2

Disseminate security alerts to personnel

CMA_C1705 - Disseminate security alerts to personnel

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4781e5fd-76b8-7d34-6df3-a0a7fca47665

Prevent identifier reuse for the defined time period

CMA_C1314 - Prevent identifier reuse for the defined time period

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0e696f5a-451f-5c15-5532-044136538491

Protect audit information

CMA_0401 - Protect audit information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9

Integrate cloud app security with a siem

CMA_0340 - Integrate cloud app security with a siem

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

60442979-6333-85f0-84c5-b887bac67448

Evaluate alternate processing site capabilities

CMA_C1266 - Evaluate alternate processing site capabilities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

21633c09-804e-7fcd-78e3-635c6bfe2be7

Provide capability to process customer-controlled audit records

CMA_C1126 - Provide capability to process customer-controlled audit records

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4a6f5cbd-6c6b-006f-2bb1-091af1441bce

Review malware detections report weekly

CMA_0475 - Review malware detections report weekly

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d041726f-00e0-41ca-368c-b1a122066482

Provide role-based practical exercises

CMA_C1096 - Provide role-based practical exercises

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f6da5cca-5795-60ff-49e1-4972567815fe

Require developer to identify SDLC ports, protocols, and services

CMA_C1578 - Require developer to identify SDLC ports, protocols, and services

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

eb1c944e-0e94-647b-9b7e-fdb8d2af0838

Review user groups and applications with access to sensitive data

CMA_0481 - Review user groups and applications with access to sensitive data

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

92b94485-1c49-3350-9ada-dffe94f08e87

Obtain approvals for acquisitions and outsourcing

CMA_C1590 - Obtain approvals for acquisitions and outsourcing

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e0c480bf-0d68-a42d-4cbb-b60f851f8716

Implement personnel screening

CMA_0322 - Implement personnel screening

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3af53f59-979f-24a8-540f-d7cdbc366607

Require users to sign access agreement

CMA_0440 - Require users to sign access agreement

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

20012034-96f0-85c2-4a86-1ae1eb457802

Review and update risk assessment policies and procedures

CMA_C1537 - Review and update risk assessment policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d200f199-69f4-95a6-90b0-37ff0cf1040c

Provide the capability to extend or limit auditing on customer-deployed resources

CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

874a6f2e-2098-53bc-3a16-20dcdc425a7e

Create configuration plan protection

CMA_C1233 - Create configuration plan protection

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b320aa42-33b4-53af-87ce-100091d48918

Document third-party personnel security requirements

CMA_C1531 - Document third-party personnel security requirements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c79d378a-2521-822a-0407-57454f8d2c74

Notify upon termination or transfer

CMA_0381 - Notify upon termination or transfer

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8aec4343-9153-9641-172c-defb201f56b3

Review cloud identity report overview

CMA_0468 - Review cloud identity report overview

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

be38a620-000b-21cf-3cb3-ea151b704c3b

Remediate information system flaws

CMA_0427 - Remediate information system flaws

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

26d178a4-9261-6f04-a100-47ed85314c6e

Implement security directives

CMA_C1706 - Implement security directives

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ae5345d5-8dab-086a-7290-db43a3272198

Identify and authenticate network devices

CMA_0296 - Identify and authenticate network devices

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0f31d98d-5ce2-705b-4aa5-b4f6705110dd

Prepare alternate processing site for use as operational site

CMA_C1278 - Prepare alternate processing site for use as operational site

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9622aaa9-5c49-40e2-5bf8-660b7cd23deb

Alert personnel of information spillage

CMA_0007 - Alert personnel of information spillage

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

de251b09-4a5e-1204-4bef-62ac58d47999

Adjust level of audit review, analysis, and reporting

CMA_C1123 - Adjust level of audit review, analysis, and reporting

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9150259b-617b-596d-3bf5-5ca3fce20335

Establish policies for supply chain risk management

CMA_0275 - Establish policies for supply chain risk management

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d6653f89-7cb5-24a4-9d71-51581038231b

Reauthenticate or terminate a user session

CMA_0421 - Reauthenticate or terminate a user session

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7ad83b58-2042-085d-08f0-13e946f26f89

Update rules of behavior and access agreements every 3 years

CMA_0522 - Update rules of behavior and access agreements every 3 years

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Security Center

52375c01-4d4c-7acc-3aa4-5b3d53a047ec

[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

Define the duties of processors

CMA_0127 - Define the duties of processors

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a8df9c78-4044-98be-2c05-31a315ac8957

Conform to FICAM-issued profiles

CMA_C1350 - Conform to FICAM-issued profiles

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

50e81644-923d-33fc-6ebb-9733bc8d1a06

Perform a trend analysis on threats

CMA_0389 - Perform a trend analysis on threats

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

27965e62-141f-8cca-426f-d09514ee5216

Establish and maintain an asset inventory

CMA_0266 - Establish and maintain an asset inventory

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8d140e8b-76c7-77de-1d46-ed1b2e112444

Restrict access to private keys

CMA_0445 - Restrict access to private keys

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

16c54e01-9e65-7524-7c33-beda48a75779

Produce, control and distribute symmetric cryptographic keys

CMA_C1645 - Produce, control and distribute symmetric cryptographic keys

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d18af1ac-0086-4762-6dc8-87cdded90e39

Perform a privacy impact assessment

CMA_0387 - Perform a privacy impact assessment

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

043c1e56-5a16-52f8-6af8-583098ff3e60

Create a data inventory

CMA_0096 - Create a data inventory

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

69d90ee6-9f9f-262a-2038-d909fb4e5723

Identify spilled information

CMA_0303 - Identify spilled information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

bf883b14-9c19-0f37-8825-5e39a8b66d5b

Perform threat modeling

CMA_0392 - Perform threat modeling

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

214ea241-010d-8926-44cc-b90a96d52adc

Compile Audit records into system wide audit

CMA_C1140 - Compile Audit records into system wide audit

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d7c1ecc3-2980-a079-1569-91aec8ac4a77

Conduct risk assessment and distribute its results

CMA_C1544 - Conduct risk assessment and distribute its results

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

06af77de-02ca-0f3e-838a-a9420fe466f5

Establish a discrete line item in budgeting documentation

CMA_C1563 - Establish a discrete line item in budgeting documentation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7380631c-5bf5-0e3a-4509-0873becd8a63

Establish a configuration control board

CMA_0254 - Establish a configuration control board

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e21f91d1-2803-0282-5f2d-26ebc4b170ef

Update organizational access agreements

CMA_0520 - Update organizational access agreements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Cosmos DB

9d83ccb1-f313-46ce-9d39-a198bfdb51a0

Azure Cosmos DB accounts should not exceed the maximum number of days allowed since last account key regeneration.

Regenerate your keys in the specified time to keep your data more protected.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d4f70530-19a2-2a85-6e0c-0c3c465e3325

Make accounting of disclosures available upon request

CMA_C1820 - Make accounting of disclosures available upon request

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c8aa992d-76b7-7ca0-07b3-31a58d773fa9

Employ automated training environment

CMA_C1357 - Employ automated training environment

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4c6df5ff-4ef2-4f17-a516-0da9189c603b

Assign account managers

CMA_0015 - Assign account managers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

725164e5-3b21-1ec2-7e42-14f077862841

Require compliance with intellectual property rights

CMA_0432 - Require compliance with intellectual property rights

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

05ec66a2-137c-14b8-8e75-3d7a2bef07f8

Implement physical security for offices, working areas, and secure areas

CMA_0323 - Implement physical security for offices, working areas, and secure areas

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

44f8a42d-739f-8030-89a8-4c2d5b3f6af3

Provide audit review, analysis, and reporting capability

CMA_C1124 - Provide audit review, analysis, and reporting capability

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f49925aa-9b11-76ae-10e2-6e973cc60f37

Review and update system and services acquisition policies and procedures

CMA_C1560 - Review and update system and services acquisition policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b8a9bb2f-7290-3259-85ce-dca7d521302d

Initiate transfer or reassignment actions

CMA_0333 - Initiate transfer or reassignment actions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8

Prevent split tunneling for remote devices

CMA_C1632 - Prevent split tunneling for remote devices

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

80a97208-264e-79da-0cc7-4fca179a0c9c

Protect against and prevent data theft from departing employees

CMA_0398 - Protect against and prevent data theft from departing employees

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

77cc89bb-774f-48d7-8a84-fb8c322c3000

Track software license usage

CMA_C1235 - Track software license usage

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8019d788-713d-90a1-5570-dac5052f517d

Train staff on PII sharing and its consequences

CMA_C1871 - Train staff on PII sharing and its consequences

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1bc7fd64-291f-028e-4ed6-6e07886e163f

Employ least privilege access

CMA_0212 - Employ least privilege access

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ba02d0a0-566a-25dc-73f1-101c726a19c5

Implement transaction based recovery

CMA_C1296 - Implement transaction based recovery

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6122970b-8d4a-7811-0278-4c6c68f61e4f

Restrict media use

CMA_0450 - Restrict media use

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4b8fd5da-609b-33bf-9724-1c946285a14c

Notify Account Managers of customer controlled accounts

CMA_C1009 - Notify Account Managers of customer controlled accounts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4ee5975d-2507-5530-a20a-83a725889c6f

Restrict unauthorized software and firmware installation

CMA_C1205 - Restrict unauthorized software and firmware installation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f78fc35e-1268-0bca-a798-afcba9d2330a

Select additional testing for security control assessments

CMA_C1149 - Select additional testing for security control assessments

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

056a723b-4946-9d2a-5243-3aa27c4d31a1

Satisfy token quality requirements

CMA_0487 - Satisfy token quality requirements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

34d38ea7-6754-1838-7031-d7fd07099821

Manage system and admin accounts

CMA_0368 - Manage system and admin accounts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3881168c-5d38-6f04-61cc-b5d87b2c4c58

Establish third-party personnel security requirements

CMA_C1529 - Establish third-party personnel security requirements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2d4d0e90-32d9-4deb-2166-a00d51ed57c0

Provide information spillage training

CMA_0413 - Provide information spillage training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

423f6d9c-0c73-9cc6-64f4-b52242490368

Develop security safeguards

CMA_0161 - Develop security safeguards

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7b28ba4f-0a87-46ac-62e1-46b7c09202a8

Monitor account activity

CMA_0377 - Monitor account activity

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

33d34fac-56a8-1c0f-0636-3ed94892a709

Govern the allocation of resources

CMA_0293 - Govern the allocation of resources

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ab02bb73-4ce1-89dd-3905-d93042809ba0

Align business objectives and IT goals

CMA_0008 - Align business objectives and IT goals

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b65c5d8e-9043-9612-2c17-65f231d763bb

Employ independent assessors to conduct security control assessments

CMA_C1148 - Employ independent assessors to conduct security control assessments

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1ee4c7eb-480a-0007-77ff-4ba370776266

Use system clocks for audit records

CMA_0535 - Use system clocks for audit records

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2b05dca2-25ec-9335-495c-29155f785082

Provide security training before providing access

CMA_0418 - Provide security training before providing access

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

85335602-93f5-7730-830b-d43426fd51fa

Integrate Audit record analysis

CMA_C1120 - Integrate Audit record analysis

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f48b60c6-4b37-332f-7288-b6ea50d300eb

Review controlled folder access events

CMA_0471 - Review controlled folder access events

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1282809c-9001-176b-4a81-260a085f4872

Perform audit for configuration change control

CMA_0390 - Perform audit for configuration change control

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c6b877a6-5d6d-1862-4b7f-3ccc30b25b63

Verify personal data is deleted at the end of processing

CMA_0540 - Verify personal data is deleted at the end of processing

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba

Review file and folder activity

CMA_0473 - Review file and folder activity

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c7d57a6a-7cc2-66c0-299f-83bf90558f5d

Enforce random unique session identifiers

CMA_0247 - Enforce random unique session identifiers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b4409bff-2287-8407-05fd-c73175a68302

Enforce a limit of consecutive failed login attempts

CMA_C1044 - Enforce a limit of consecutive failed login attempts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

32f22cfa-770b-057c-965b-450898425519

Revoke privileged roles as appropriate

CMA_0483 - Revoke privileged roles as appropriate

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

516be556-1353-080d-2c2f-f46f000d5785

Provide periodic security awareness training

CMA_C1091 - Provide periodic security awareness training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9c954fcf-6dd8-81f1-41b5-832ae5c62caf

Incorporate simulated contingency training

CMA_C1260 - Incorporate simulated contingency training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Monitoring

d4b065e2-fbda-4461-a42c-b0346aeb12a0

The legacy Log Analytics extension should not be installed on Linux virtual machines

Default
Audit
Allowed
Deny, Audit, Disabled

add

new Policy

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

18e7906d-4197-20fa-2f14-aaac21864e71

Document process to ensure integrity of PII

CMA_C1827 - Document process to ensure integrity of PII

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ca6d7878-3189-1833-4620-6c7254ed1607

Obtain continuous monitoring plan for security controls

CMA_C1577 - Obtain continuous monitoring plan for security controls

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

311802f9-098d-0659-245a-94c5d47c0182

Employ boundary protection to isolate information systems

CMA_C1639 - Employ boundary protection to isolate information systems

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

58a51cde-008b-1a5d-61b5-d95849770677

Test the business continuity and disaster recovery plan

CMA_0509 - Test the business continuity and disaster recovery plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

70a7a065-a060-85f8-7863-eb7850ed2af9

Produce Security Assessment report

CMA_C1146 - Produce Security Assessment report

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1fdeb7c4-4c93-8271-a135-17ebe85f1cc7

Incorporate simulated events into incident response training

CMA_C1356 - Incorporate simulated events into incident response training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d42a8f69-a193-6cbc-48b9-04a9e29961f1

Protect wireless access

CMA_0411 - Protect wireless access

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6de65dc4-8b4f-34b7-9290-eb137a2e2929

Develop and document application security requirements

CMA_0148 - Develop and document application security requirements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0803eaa7-671c-08a7-52fd-ac419f775e75

Document acquisition contract acceptance criteria

CMA_0187 - Document acquisition contract acceptance criteria

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a830fe9e-08c9-a4fb-420c-6f6bf1702395

Review account provisioning logs

CMA_0460 - Review account provisioning logs

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5020f3f4-a579-2f28-72a8-283c5a0b15f9

Restrict communications

CMA_0449 - Restrict communications

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

79c75b38-334b-1a69-65e0-a9d929a42f75

Document the legal basis for processing personal information

CMA_0206 - Document the legal basis for processing personal information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a90c4d44-7fac-8e02-6d5b-0d92046b20e6

Automate flaw remediation

CMA_0027 - Automate flaw remediation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a465e8e9-0095-85cb-a05f-1dd4960d02af

Document security documentation requirements in acquisition contract

CMA_0200 - Document security documentation requirements in acquisition contract

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a30bd8e9-7064-312a-0e1f-e1b485d59f6e

Review exploit protection events

CMA_0472 - Review exploit protection events

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ed87d27a-9abf-7c71-714c-61d881889da4

Monitor privileged role assignment

CMA_0378 - Monitor privileged role assignment

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3054c74b-9b45-2581-56cf-053a1a716c39

Accept assessment results

CMA_C1150 - Accept assessment results

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

53fc1282-0ee3-2764-1319-e20143bb0ea5

Review contingency plan

CMA_C1247 - Review contingency plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1beb1269-62ee-32cd-21ad-43d6c9750eb6

Ensure privacy program information is publicly available

CMA_C1867 - Ensure privacy program information is publicly available

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

bd6cbcba-4a2d-507c-53e3-296b5c238a8e

Develop and document a business continuity and disaster recovery plan

CMA_0146 - Develop and document a business continuity and disaster recovery plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2af4640d-11a6-a64b-5ceb-a468f4341c0c

Define and enforce inactivity log policy

CMA_C1017 - Define and enforce inactivity log policy

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

aa305b4d-8c84-1754-0c74-dec004e66be0

Develop contingency plan

CMA_C1244 - Develop contingency plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

42116f15-5665-a52a-87bb-b40e64c74b6c

Develop acceptable use policies and procedures

CMA_0143 - Develop acceptable use policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a3e98638-51d4-4e28-910a-60e98c1a756f

Configure Azure Audit capabilities

CMA_C1108 - Configure Azure Audit capabilities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

11ba0508-58a8-44de-5f3a-9e05d80571da

Develop business classification schemes

CMA_0155 - Develop business classification schemes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

36b74844-4a99-4c80-1800-b18a516d1585

Control use of portable storage devices

CMA_0083 - Control use of portable storage devices

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

964b340a-43a4-4798-2af5-7aedf6cb001b

Collect PII directly from the individual

CMA_C1822 - Collect PII directly from the individual

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

55a7f9a0-6397-7589-05ef-5ed59a8149e7

Control physical access

CMA_0081 - Control physical access

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c6aeb800-0b19-944d-92dc-59b893722329

Rescreen individuals at a defined frequency

CMA_C1512 - Rescreen individuals at a defined frequency

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

271a3e58-1b38-933d-74c9-a580006b80aa

Document personnel acceptance of privacy requirements

CMA_0193 - Document personnel acceptance of privacy requirements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51

Publish access procedures in SORNs

CMA_C1848 - Publish access procedures in SORNs

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1cb7bf71-841c-4741-438a-67c65fdd7194

Provide security training for new users

CMA_0419 - Provide security training for new users

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d93fe1be-13e4-421d-9c21-3158e2fa2667

Implement plans of action and milestones for security program process

CMA_C1737 - Implement plans of action and milestones for security program process

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

464a7d7a-2358-4869-0b49-6d582ca21292

Ensure capital planning and investment requests include necessary resources

CMA_C1734 - Ensure capital planning and investment requests include necessary resources

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f801d58e-5659-9a4a-6e8d-02c9334732e5

Restore resources to operational state

CMA_C1297 - Restore resources to operational state

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

085467a6-9679-5c65-584a-f55acefd0d43

Require developers to implement only approved changes

CMA_C1596 - Require developers to implement only approved changes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d136ae80-54dd-321c-98b4-17acf4af2169

Provide updated security awareness training

CMA_C1090 - Provide updated security awareness training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3eecf628-a1c8-1b48-1b5c-7ca781e97970

Specify permitted actions associated with customer audit information

CMA_C1122 - Specify permitted actions associated with customer audit information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0716f0f5-4955-2ccb-8d5e-c6be14d57c0f

Ensure resources are authorized

CMA_C1159 - Ensure resources are authorized

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f2222056-062d-1060-6dc2-0107a68c34b2

Manage a secure surveillance camera system

CMA_0354 - Manage a secure surveillance camera system

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5269d7e4-3768-501d-7e46-66c56c15622c

Manage contacts for authorities and special interest groups

CMA_0359 - Manage contacts for authorities and special interest groups

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

edcc36f1-511b-81e0-7125-abee29752fe7

Manage availability and capacity

CMA_0356 - Manage availability and capacity

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f6794ab8-9a7d-3b24-76ab-265d3646232b

Provide role-based training on suspicious activities

CMA_C1097 - Provide role-based training on suspicious activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e8c31e15-642d-600f-78ab-bad47a5787e6

Require third-party providers to comply with personnel security policies and procedures

CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

75b9db50-7906-2351-98ae-0458218609e5

Retain accounting of disclosures of information

CMA_C1819 - Retain accounting of disclosures of information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

eb8a8df9-521f-3ccd-7e2c-3d1fcc812340

Review and update configuration management policies and procedures

CMA_C1175 - Review and update configuration management policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7805a343-275c-41be-9d62-7215b96212d8

Reassign or remove user privileges as needed

CMA_C1040 - Reassign or remove user privileges as needed

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0a412110-3874-9f22-187a-c7a81c8a6704

Establish alternate storage site to store and retrieve backup information

CMA_C1267 - Establish alternate storage site to store and retrieve backup information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c981fa70-2e58-8141-1457-e7f62ebc2ade

Document organizational access agreements

CMA_0192 - Document organizational access agreements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f476f3b0-4152-526e-a209-44e5f8c968d7

Establish network segmentation for card holder data environment

CMA_0273 - Establish network segmentation for card holder data environment

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

92b49e92-570f-1765-804a-378e6c592e28

Automate process to highlight unreviewed change proposals

CMA_C1193 - Automate process to highlight unreviewed change proposals

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7fc1f0da-0050-19bb-3d75-81ae15940df6

Provide monitoring information as needed

CMA_C1689 - Provide monitoring information as needed

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2b4e134f-1e4c-2bff-573e-082d85479b6e

Develop an incident response plan

CMA_0145 - Develop an incident response plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a08b18c7-9e0a-89f1-3696-d80902196719

Document access privileges

CMA_0186 - Document access privileges

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

203101f5-99a3-1491-1b56-acccd9b66a9e

Conduct a security impact analysis

CMA_0057 - Conduct a security impact analysis

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

bbb2e6d6-085f-5a35-a55d-e45daad38933

Provide secure name and address resolution services

CMA_0416 - Provide secure name and address resolution services

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9c276cf3-596f-581a-7fbd-f5e46edaa0f4

Manage symmetric cryptographic keys

CMA_0367 - Manage symmetric cryptographic keys

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2c843d78-8f64-92b5-6a9b-e8186c0e7eb6

Enable dual or joint authorization

CMA_0226 - Enable dual or joint authorization

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f30edfad-4e1d-1eef-27ee-9292d6d89842

Perform security function verification at a defined frequency

CMA_C1709 - Perform security function verification at a defined frequency

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b544f797-a73b-1be3-6d01-6b1a085376bc

Establish information security workforce development and improvement program

CMA_C1752 - Establish information security workforce development and improvement program

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1fb1cb0e-1936-6f32-42fd-89970b535855

Manage nonlocal maintenance and diagnostic activities

CMA_0364 - Manage nonlocal maintenance and diagnostic activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

aa0ddd99-43eb-302d-3f8f-42b499182960

Install an alarm system

CMA_0338 - Install an alarm system

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65

Update antivirus definitions

CMA_0517 - Update antivirus definitions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b2ea1058-8998-3dd1-84f1-82132ad482fd

Develop and establish a system security plan

CMA_0151 - Develop and establish a system security plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0bbfd658-93ab-6f5e-1e19-3c1c1da62d01

Keep accurate accounting of disclosures of information

CMA_C1818 - Keep accurate accounting of disclosures of information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

bd4dc286-2f30-5b95-777c-681f3a7913d3

Establish and document change control processes

CMA_0265 - Establish and document change control processes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1a2a03a4-9992-5788-5953-d8f6615306de

Govern policies and procedures

CMA_0292 - Govern policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

de770ba6-50dd-a316-2932-e0d972eaa734

Require approval for account creation

CMA_0431 - Require approval for account creation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

03d550b4-34ee-03f4-515f-f2e2faf7a413

Review access control policies and procedures

CMA_0457 - Review access control policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

de936662-13dc-204c-75ec-1af80f994088

Provide contingency training

CMA_0412 - Provide contingency training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

39eb03c1-97cc-11ab-0960-6209ed2869f7

Establish a privacy program

CMA_0257 - Establish a privacy program

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

098a7b84-1031-66d8-4e78-bd15b5fd2efb

Provide privacy notice

CMA_0414 - Provide privacy notice

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8bfdbaa6-6824-3fec-9b06-7961bf7389a6

Initiate contingency plan testing corrective actions

CMA_C1263 - Initiate contingency plan testing corrective actions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

79365f13-8ba4-1f6c-2ac4-aa39929f56d0

Employ flow control mechanisms of encrypted information

CMA_0211 - Employ flow control mechanisms of encrypted information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

27ce30dd-3d56-8b54-6144-e26d9a37a541

Ensure audit records are not altered

CMA_C1125 - Ensure audit records are not altered

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e

Implement controls to secure alternate work sites

CMA_0315 - Implement controls to secure alternate work sites

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f26af0b1-65b6-689a-a03f-352ad2d00f98

Audit privileged functions

CMA_0019 - Audit privileged functions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6610f662-37e9-2f71-65be-502bdc2f554d

Update rules of behavior and access agreements

CMA_0521 - Update rules of behavior and access agreements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

af38215f-70c4-0cd6-40c2-c52d86690a45

Set automated notifications for new and trending cloud applications in your organization

CMA_0495 - Set automated notifications for new and trending cloud applications in your organization

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b470a37a-7a47-3792-34dd-7a793140702e

Establish relationship between incident response capability and external providers

CMA_C1376 - Establish relationship between incident response capability and external providers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

df54d34f-65f3-39f1-103c-a0464b8615df

Manage transfers between standby and active system components

CMA_0371 - Manage transfers between standby and active system components

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1d39b5d9-0392-8954-8359-575ce1957d1a

Support personal verification credentials issued by legal authorities

CMA_0507 - Support personal verification credentials issued by legal authorities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

54a9c072-4a93-2a03-6a43-a060d30383d7

Eradicate contaminated information

CMA_0253 - Eradicate contaminated information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

22c16ae4-19d0-29cb-422f-cb44061180ee

Disable user accounts posing a significant risk

CMA_C1026 - Disable user accounts posing a significant risk

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d4e6a629-28eb-79a9-000b-88030e4823ca

Coordinate with external organizations to achieve cross org perspective

CMA_C1368 - Coordinate with external organizations to achieve cross org perspective

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

39999038-9ef1-602a-158c-ce2367185230

Define performance metrics

CMA_0124 - Define performance metrics

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

bab9ef1d-a16d-421a-822d-3fa94e808156

Route traffic through managed network access points

CMA_0484 - Route traffic through managed network access points

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8

Automate process to document implemented changes

CMA_C1195 - Automate process to document implemented changes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

df2e9507-169b-4114-3a52-877561ee3198

Implement security engineering principles of information systems

CMA_0325 - Implement security engineering principles of information systems

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2f67e567-03db-9d1f-67dc-b6ffb91312f4

Determine auditable events

CMA_0137 - Determine auditable events

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9b55929b-0101-47c0-a16e-d6ac5c7d21f8

Undergo independent security review

CMA_0515 - Undergo independent security review

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

291f20d4-8d93-1d73-89f3-6ce28b825563

Authorize, monitor, and control usage of mobile code technologies

CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2f20840e-7925-221c-725d-757442753e7c

Develop and maintain baseline configurations

CMA_0153 - Develop and maintain baseline configurations

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2d2ca910-7957-23ee-2945-33f401606efc

Accept only FICAM-approved third-party credentials

CMA_C1348 - Accept only FICAM-approved third-party credentials

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

526ed90e-890f-69e7-0386-ba5c0f1f784f

Establish and document a configuration management plan

CMA_0264 - Establish and document a configuration management plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

433de59e-7a53-a766-02c2-f80f8421469a

Implement incident handling

CMA_0318 - Implement incident handling

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e4054c0e-1184-09e6-4c5e-701e0bc90f81

Report atypical behavior of user accounts

CMA_C1025 - Report atypical behavior of user accounts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

bfc540fe-376c-2eef-4355-121312fa4437

Maintain separate execution domains for running processes

CMA_C1665 - Maintain separate execution domains for running processes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3d492600-27ba-62cc-a1c3-66eb919f6a0d

Document remote access guidelines

CMA_0196 - Document remote access guidelines

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6f1de470-79f3-1572-866e-db0771352fc8

Authenticate to cryptographic module

CMA_0021 - Authenticate to cryptographic module

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8b1f29eb-1b22-4217-5337-9207cb55231e

Perform information input validation

CMA_C1723 - Perform information input validation

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6bededc0-2985-54d5-4158-eb8bad8070a0

Review and update information integrity policies and procedures

CMA_C1667 - Review and update information integrity policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f8ded0c6-a668-9371-6bb6-661d58787198

Monitor third-party provider compliance

CMA_C1533 - Monitor third-party provider compliance

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f741c4e6-41eb-15a4-25a2-61ac7ca232f0

Integrate audit review, analysis, and reporting

CMA_0339 - Integrate audit review, analysis, and reporting

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

49c23d9b-02b0-0e42-4f94-e8cef1b8381b

Audit user account status

CMA_0020 - Audit user account status

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

015b4935-448a-8684-27c0-d13086356c33

Implement a threat awareness program

CMA_C1758 - Implement a threat awareness program

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

dd6d00a8-701a-5935-a22b-c7b9c0c698b2

Isolate SecurID systems, Security Incident Management systems

CMA_C1636 - Isolate SecurID systems, Security Incident Management systems

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8c5d3d8d-5cba-0def-257c-5ab9ea9644dc

Perform a risk assessment

CMA_0388 - Perform a risk assessment

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e750ca06-1824-464a-2cf3-d0fa754d1cb4

Establish a secure software development program

CMA_0259 - Establish a secure software development program

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ebb0ba89-6d8c-84a7-252b-7393881e43de

Document security strength requirements in acquisition contracts

CMA_0203 - Document security strength requirements in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4012c2b7-4e0e-a7ab-1688-4aab43f14420

Map authenticated identities to individuals

CMA_0372 - Map authenticated identities to individuals

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e89436d8-6a93-3b62-4444-1d2a42ad56b2

Reevaluate access upon personnel transfer

CMA_0424 - Reevaluate access upon personnel transfer

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0dcbaf2f-075e-947b-8f4c-74ecc5cd302c

Identify individuals with security roles and responsibilities

CMA_C1566 - Identify individuals with security roles and responsibilities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5c40f27b-6791-18c5-3f85-7b863bd99c11

Automate proposed documented changes

CMA_C1191 - Automate proposed documented changes

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7

Define a physical key management process

CMA_0115 - Define a physical key management process

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

10c3a1b1-29b0-a2d5-8f4c-a284b0f07830

Implement cryptographic mechanisms

CMA_C1419 - Implement cryptographic mechanisms

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

37546841-8ea1-5be0-214d-8ac599588332

Maintain incident response plan

CMA_0352 - Maintain incident response plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7c7032fe-9ce6-9092-5890-87a1a3755db1

Retain terminated user data

CMA_0455 - Retain terminated user data

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

91a54089-2d69-0f56-62dc-b6371a1671c0

Resume all mission and business functions

CMA_C1254 - Resume all mission and business functions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Monitoring

bd58d393-162c-4134-bcd6-a6a5484a37a1

The legacy Log Analytics extension should not be installed on Azure Arc enabled Linux servers

Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Linux servers. Learn more: https://aka.ms/migratetoAMA

Default
Audit
Allowed
Deny, Audit, Disabled

add

new Policy

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

cc057769-01d9-95ad-a36f-1e62a7f9540b

Update POA&M items

CMA_C1157 - Update POA&M items

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

98145a9b-428a-7e81-9d14-ebb154a24f93

View and investigate restricted users

CMA_0545 - View and investigate restricted users

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

eb598832-4bcc-658d-4381-3ecbe17b9866

Provide timely maintenance support

CMA_C1425 - Provide timely maintenance support

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

eaaae23f-92c9-4460-51cf-913feaea4d52

Employ a media sanitization mechanism

CMA_0208 - Employ a media sanitization mechanism

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7a0ecd94-3699-5273-76a5-edb8499f655a

Determine assertion requirements

CMA_0136 - Determine assertion requirements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4edaca8c-0912-1ac5-9eaa-6a1057740fae

Provide capability to disconnect or disable remote access

CMA_C1066 - Provide capability to disconnect or disable remote access

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0471c6b7-1588-701c-2713-1fade73b75f6

Display an explicit logout message

CMA_C1056 - Display an explicit logout message

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7a489c62-242c-5db9-74df-c073056d6fa3

Designate personnel to supervise unauthorized maintenance activities

CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

333b4ada-4a02-0648-3d4d-d812974f1bb2

Govern and monitor audit processing activities

CMA_0289 - Govern and monitor audit processing activities

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f9ec3263-9562-1768-65a1-729793635a8d

Document protection of personal data in acquisition contracts

CMA_0194 - Document protection of personal data in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4c385143-09fd-3a34-790c-a5fd9ec77ddc

Provide role-based security training

CMA_C1094 - Provide role-based security training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

04837a26-2601-1982-3da7-bf463e6408f4

Develop configuration management plan

CMA_C1232 - Develop configuration management plan

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab

Check for privacy and security compliance before establishing internal connections

CMA_0053 - Check for privacy and security compliance before establishing internal connections

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08

Assess risk in third party relationships

CMA_0014 - Assess risk in third party relationships

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

62fa14f0-4cbe-762d-5469-0899a99b98aa

Explicitly notify use of collaborative computing devices

CMA_C1649 - Explicitly notify use of collaborative computing devices

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8eea8c14-4d93-63a3-0c82-000343ee5204

Conduct a full text analysis of logged privileged commands

CMA_0056 - Conduct a full text analysis of logged privileged commands

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

afbecd30-37ee-a27b-8e09-6ac49951a0ee

Establish security requirements for the manufacturing of connected devices

CMA_0279 - Establish security requirements for the manufacturing of connected devices

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b4e19d22-8c0e-7cad-3219-c84c62dc250f

Review and update media protection policies and procedures

CMA_C1427 - Review and update media protection policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

60ee1260-97f0-61bb-8155-5d8b75743655

Separate duties of individuals

CMA_0492 - Separate duties of individuals

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8bb40df9-23e4-4175-5db3-8dba86349b73

Confirm quality and integrity of PII

CMA_C1821 - Confirm quality and integrity of PII

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

729c8708-2bec-093c-8427-2e87d2cd426d

Automate notification of employee termination

CMA_C1521 - Automate notification of employee termination

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

509552f5-6528-3540-7959-fbeae4832533

Enforce rules of behavior and access agreements

CMA_0248 - Enforce rules of behavior and access agreements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

06f84330-4c27-21f7-72cd-7488afd50244

Implement privacy notice delivery methods

CMA_0324 - Implement privacy notice delivery methods

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

398fdbd8-56fd-274d-35c6-fa2d3b2755a1

Establish firewall and router configuration standards

CMA_0272 - Establish firewall and router configuration standards

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Monitoring

1f6e93e8-6b31-41b1-83f6-36e449a42579

Deploy Diagnostic Settings for Event Hub to Log Analytics workspace

Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2f204e72-1896-3bf8-75c9-9128b8683a36

Reissue authenticators for changed groups and accounts

CMA_0426 - Reissue authenticators for changed groups and accounts

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d661e9eb-4e15-5ba1-6f02-cdc467db0d6c

Define organizational requirements for cryptographic key management

CMA_0123 - Define organizational requirements for cryptographic key management

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

aeed863a-0f56-429f-945d-8bb66bd06841

Authorize access to security functions and information

CMA_0022 - Authorize access to security functions and information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

cdcb825f-a0fb-31f9-29c1-ab566718499a

Publish Computer Matching Agreements on public website

CMA_C1829 - Publish Computer Matching Agreements on public website

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b33d61c1-7463-7025-0ec0-a47585b59147

Require developers to manage change integrity

CMA_C1595 - Require developers to manage change integrity

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e3905a3c-97e7-0b4f-15fb-465c0927536f

Correlate Vulnerability scan information

CMA_C1558 - Correlate Vulnerability scan information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5fc24b95-53f7-0ed1-2330-701b539b97fe

Turn on sensors for endpoint security solution

CMA_0514 - Turn on sensors for endpoint security solution

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

03b6427e-6072-4226-4bd9-a410ab65317e

Design an access control model

CMA_0129 - Design an access control model

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Security Center

e54901fe-42c2-7f3b-3c5f-327aa5320a69

[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

Automate information sharing decisions

CMA_0028 - Automate information sharing decisions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

178c8b7e-1b6e-4289-44dd-2f1526b678a1

Ensure alternate storage site safeguards are equivalent to primary site

CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2067b904-9552-3259-0cdd-84468e284b7c

Review and update system maintenance policies and procedures

CMA_C1395 - Review and update system maintenance policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3d399cf3-8fc6-0efc-6ab0-1412f1198517

Block untrusted and unsigned processes that run from USB

CMA_0050 - Block untrusted and unsigned processes that run from USB

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

55be3260-a7a2-3c06-7fe6-072d07525ab7

Accept PIV credentials

CMA_C1347 - Accept PIV credentials

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3c93dba1-84fd-57de-33c7-ef0400a08134

Establish terms and conditions for accessing resources

CMA_C1076 - Establish terms and conditions for accessing resources

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

cf79f602-1e60-5423-6c0c-e632c2ea1fc0

Implement controls to protect PII

CMA_C1839 - Implement controls to protect PII

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

93fa357f-2e38-22a9-5138-8cc5124e1923

Categorize information

CMA_0052 - Categorize information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3baee3fd-30f5-882c-018c-cc78703a0106

Employ independent assessors for continuous monitoring

CMA_C1168 - Employ independent assessors for continuous monitoring

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ced291b8-1d3d-7e27-40cf-829e9dd523c8

Review and update the information security architecture

CMA_C1504 - Review and update the information security architecture

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d8bbd80e-3bb1-5983-06c2-428526ec6a63

Establish a password policy

CMA_0256 - Establish a password policy

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e6f7b584-877a-0d69-77d4-ab8b923a9650

Document separation of duties

CMA_0204 - Document separation of duties

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8489ff90-8d29-61df-2d84-f9ab0f4c5e84

Notify when account is not needed

CMA_0383 - Notify when account is not needed

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

eff6e4a5-3efe-94dd-2ed1-25d56a019a82

Distribute policies and procedures

CMA_0185 - Distribute policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

35963d41-4263-0ef9-98d5-70eb058f9e3c

Establish procedures for initial authenticator distribution

CMA_0276 - Establish procedures for initial authenticator distribution

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3a868d0c-538f-968b-0191-bddb44da5b75

Require developers to document approved changes and potential impact

CMA_C1597 - Require developers to document approved changes and potential impact

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

63f63e71-6c3f-9add-4c43-64de23e554a7

Manage gateways

CMA_0363 - Manage gateways

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6625638f-3ba1-7404-5983-0ea33d719d34

Review audit data

CMA_0466 - Review audit data

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d48a6f19-a284-6fc6-0623-3367a74d3f50

Update interconnection security agreements

CMA_0519 - Update interconnection security agreements

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

86ecd378-a3a0-5d5b-207c-05e6aaca43fc

Detect network services that have not been authorized or approved

CMA_C1700 - Detect network services that have not been authorized or approved

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

ff1efad2-6b09-54cc-01bf-d386c4d558a8

Secure the interface to external systems

CMA_0491 - Secure the interface to external systems

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

4ac81669-00e2-9790-8648-71bc11bc91eb

Manage the transportation of assets

CMA_0370 - Manage the transportation of assets

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3ae68d9a-5696-8c32-62d3-c6f9c52e437c

Refresh authenticators

CMA_0425 - Refresh authenticators

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1fdf0b24-4043-3c55-357e-036985d50b52

Ensure security safeguards not needed when the individuals return

CMA_C1183 - Ensure security safeguards not needed when the individuals return

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

7d70383a-32f4-a0c2-61cf-a134851968c2

Determine legal authority to collect PII

CMA_C1800 - Determine legal authority to collect PII

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3545c827-26ee-282d-4629-23952a12008b

Conduct incident response testing

CMA_0060 - Conduct incident response testing

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a4493012-908c-5f48-a468-1e243be884ce

Review security assessment and authorization policies and procedures

CMA_C1143 - Review security assessment and authorization policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

fe2dff43-0a8c-95df-0432-cb1c794b17d0

Notify users of system logon or access

CMA_0382 - Notify users of system logon or access

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

9b8b05ec-3d21-215e-5d98-0f7cf0998202

Provide security awareness training for insider threats

CMA_0417 - Provide security awareness training for insider threats

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928

Appoint a senior information security officer

CMA_C1733 - Appoint a senior information security officer

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

04b3e7f6-4841-888d-4799-cda19a0084f6

Document and implement wireless access guidelines

CMA_0190 - Document and implement wireless access guidelines

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

037c0089-6606-2dab-49ad-437005b5035f

Identify incident response personnel

CMA_0301 - Identify incident response personnel

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d9edcea6-6cb8-0266-a48c-2061fbac4310

Plan for continuance of essential business functions

CMA_C1255 - Plan for continuance of essential business functions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

98e33927-8d7f-6d5f-44f5-2469b40b7215

Implement Incident handling capability

CMA_C1367 - Implement Incident handling capability

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f29b17a4-0df2-8a50-058a-8570f9979d28

Assign system identifiers

CMA_0018 - Assign system identifiers

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

f8a63511-66f1-503f-196d-d6217ee0823a

Require developers to produce evidence of security assessment plan execution

CMA_C1602 - Require developers to produce evidence of security assessment plan execution

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6

Review development process, standards and tools

CMA_C1610 - Review development process, standards and tools

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

098dcde7-016a-06c3-0985-0daaf3301d3a

Distribute authenticators

CMA_0184 - Distribute authenticators

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

d02498e0-8a6f-6b02-8332-19adf6711d1e

Develop organization code of conduct policy

CMA_0159 - Develop organization code of conduct policy

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

426c172c-9914-10d1-25dd-669641fc1af4

Enable detection of network devices

CMA_0220 - Enable detection of network devices

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

13ef3484-3a51-785a-9c96-500f21f84edd

Information flow control using security policy filters

CMA_C1029 - Information flow control using security policy filters

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

3c9aa856-6b86-35dc-83f4-bc72cec74dea

Establish a data leakage management procedure

CMA_0255 - Establish a data leakage management procedure

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

341bc9f1-7489-07d9-4ec6-971573e1546a

Define access authorizations to support separation of duties

CMA_0116 - Define access authorizations to support separation of duties

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

01ae60e2-38bb-0a32-7b20-d3a091423409

Implement system boundary protection

CMA_0328 - Implement system boundary protection

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b5a4be05-3997-1731-3260-98be653610f6

Perform disposition review

CMA_0391 - Perform disposition review

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

bb048641-6017-7272-7772-a008f285a520

Develop spillage response procedures

CMA_0162 - Develop spillage response procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

70057208-70cc-7b31-3c3a-121af6bc1966

Secure commitment from leadership

CMA_0489 - Secure commitment from leadership

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

75b42dcf-7840-1271-260b-852273d7906e

Develop contingency planning policies and procedures

CMA_0156 - Develop contingency planning policies and procedures

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

6abdf7c7-362b-3f35-099e-533ed50988f9

Assign information security representative to change control

CMA_C1198 - Assign information security representative to change control

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

5226dee6-3420-711b-4709-8e675ebd828f

Update information security policies

CMA_0518 - Update information security policies

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

2b2f3a72-9e68-3993-2b69-13dcdecf8958

Define requirements for supplying goods and services

CMA_0126 - Define requirements for supplying goods and services

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

e435f7e3-0dd9-58c9-451f-9b44b96c0232

Implement controls to secure all media

CMA_0314 - Implement controls to secure all media

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

67ada943-8539-083d-35d0-7af648974125

Determine supplier contract obligations

CMA_0140 - Determine supplier contract obligations

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

27ab3ac0-910d-724d-0afa-1a2a01e996c0

Respond to rectification requests

CMA_0442 - Respond to rectification requests

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b4512986-80f5-1656-0c58-08866bd2673a

Designate authorized personnel to post publicly accessible information

CMA_C1083 - Designate authorized personnel to post publicly accessible information

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

c3b3cc61-9c70-5d78-7f12-1aefcc477db7

Review security testing, training, and monitoring plans

CMA_C1754 - Review security testing, training, and monitoring plans

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

83dfb2b8-678b-20a0-4c44-5c75ada023e6

Document mobility training

CMA_0191 - Document mobility training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

676c3c35-3c36-612c-9523-36d266a65000

Require developers to provide training

CMA_C1611 - Require developers to provide training

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

b9d45adb-471b-56a5-64d2-5b241f126174

Automate privacy controls

CMA_C1817 - Automate privacy controls

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

a44c9fba-43f8-4b7b-7ee6-db52c96b4366

Facilitate information sharing

CMA_0284 - Facilitate information sharing

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

1e0d5ba8-a433-01aa-829c-86b06c9631ec

Include dynamic reconfig of customer deployed resources

CMA_C1364 - Include dynamic reconfig of customer deployed resources

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Regulatory Compliance

8cd815bf-97e1-5144-0735-11f6ddb50a59

Enforce and audit access restrictions

CMA_C1203 - Enforce and audit access restrictions

Default
Manual
Allowed
Manual, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-09-27 16:35:32

BuiltIn

Storage

8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54

Storage accounts should prevent shared key access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-09-23 16:35:49

BuiltIn

Security Center

9297c21d-2ed6-4474-b48f-163f75654ce3

[Deprecated]: MFA should be enabled for accounts with write permissions on your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-09-23 16:35:49

BuiltIn

Security Center

Configure ChangeTracking Extension for Windows virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-09-23 16:35:49

BuiltIn

Storage

Configure diagnostic settings for Blob Services to Log Analytics workspace

Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-23 16:35:49

BuiltIn

Storage

f516dc7a-4543-4d40-aad6-98f76a706b50

Configure diagnostic settings for Queue Services to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-23 16:35:49

BuiltIn

Network

[Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2022-09-23 16:35:49

BuiltIn

Storage

df441472-4dae-4e4e-87b9-9205ba46be16

Configure diagnostic settings for Table Services to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-23 16:35:49

BuiltIn

Monitoring

The legacy Log Analytics extension should not be installed on Azure Arc enabled Windows servers

Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Windows servers. Learn more: https://aka.ms/migratetoAMA

Default
Audit
Allowed
Deny, Audit, Disabled

add

new Policy

2022-09-23 16:35:49

BuiltIn

Network

711c24bb-7f18-4578-b192-81a6161e1f17

[Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2022-09-23 16:35:49

BuiltIn

Storage

1288c8d7-4b05-4e3a-bc88-9053caefc021

Configure diagnostic settings for Storage Accounts to Log Analytics workspace

Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-23 16:35:49

BuiltIn

Security Center

Configure ChangeTracking Extension for Linux virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-09-23 16:35:49

BuiltIn

Network

6484db87-a62d-4327-9f07-80a2cbdf333a

[Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS)

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2022-09-23 16:35:49

BuiltIn

Guest Configuration

357cbd2d-b5c0-4c73-b40c-6bd84f06ce09

[Preview]: Configure Windows Server to disable local users.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-09-23 16:35:49

BuiltIn

Security Center

4bb303db-d051-4099-95d2-e3e1428a4d2c

Configure ChangeTracking Extension for Linux Arc machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-09-23 16:35:49

BuiltIn

Security Center

Configure ChangeTracking Extension for Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-09-23 16:35:49

BuiltIn

Network

610b6183-5f00-4d68-86d2-4ab4cb3a67a5

[Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2022-09-23 16:35:49

BuiltIn

Monitoring

d2185817-5b7e-473c-aadd-9de6ac114280

The legacy Log Analytics extension should not be installed on virtual machines

Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machines. Learn more: https://aka.ms/migratetoAMA

Default
Audit
Allowed
Deny, Audit, Disabled

add

new Policy

2022-09-23 16:35:49

BuiltIn

Security Center

ba6881f9-ab93-498b-8bad-bb91b1d755bf

Configure ChangeTracking Extension for Windows Arc machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-09-23 16:35:49

BuiltIn

Monitoring

The legacy Log Analytics extension should not be installed on virtual machine scale sets

Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA

Default
Audit
Allowed
Deny, Audit, Disabled

add

new Policy

2022-09-23 16:35:49

BuiltIn

Security Center

f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf

Configure ChangeTracking Extension for Linux virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-09-23 16:35:49

BuiltIn

Network

[Deprecated]: Subscription should configure the Azure Firewall Premium to provide additional layer of protection

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-23 16:35:49

BuiltIn

Storage

632d3993-e2c0-44ea-a7db-2eca131f356d

Configure diagnostic settings for File Services to Log Analytics workspace

Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-23 16:35:49

BuiltIn

Network

[Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-09-23 16:35:49

BuiltIn

Regulatory Compliance

ba02d0a0-566a-25dc-73f1-101c726a19c5

Implement transaction based recovery

CMA_C1296 - Implement transaction based recovery

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

46ab2c5e-6654-1f58-8c83-e97a44f39308

Identify external service providers

CMA_C1591 - Identify external service providers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

6a379d74-903b-244a-4c44-838728bea6b0

Analyse data obtained from continuous monitoring

CMA_C1169 - Analyse data obtained from continuous monitoring

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

a4493012-908c-5f48-a468-1e243be884ce

[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Review security assessment and authorization policies and procedures

CMA_C1143 - Review security assessment and authorization policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b

Configure App Service apps to turn off remote debugging

Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

95eb7d09-9937-5df9-11d9-20317e3f60df

Provide formal notice to individuals

CMA_C1864 - Provide formal notice to individuals

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

06af77de-02ca-0f3e-838a-a9420fe466f5

Establish a discrete line item in budgeting documentation

CMA_C1563 - Establish a discrete line item in budgeting documentation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

56fb5173-3865-5a5d-5fad-ae33e53e1577

Address information security issues

CMA_C1742 - Address information security issues

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

aa305b4d-8c84-1754-0c74-dec004e66be0

Develop contingency plan

CMA_C1244 - Develop contingency plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

2401b496-7f23-79b2-9f80-89bb5abf3d4a

Protect incident response plan

CMA_0405 - Protect incident response plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

e5c5fc78-4aa5-3d6b-81bc-5fcc88b318e9

[Preview]: Kubernetes clusters should restrict creation of given resource type

Given Kubernetes resource type should not be deployed in certain namespace.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, suffix remains equal (1.1.0-preview > 2.1.0-preview)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Review and update personnel security policies and procedures

CMA_C1507 - Review and update personnel security policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

d91558ce-5a5c-551b-8fbb-83f793255e09

Route traffic through authenticated proxy network

CMA_C1633 - Route traffic through authenticated proxy network

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

de936662-13dc-204c-75ec-1af80f994088

[Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Provide contingency training

CMA_0412 - Provide contingency training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Network

dad1887d-161b-7b61-2e4d-5124a7b5724e

Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Measure the time between flaw identification and flaw remediation

CMA_C1674 - Measure the time between flaw identification and flaw remediation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

0f31d98d-5ce2-705b-4aa5-b4f6705110dd

Prepare alternate processing site for use as operational site

CMA_C1278 - Prepare alternate processing site for use as operational site

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

98e33927-8d7f-6d5f-44f5-2469b40b7215

Implement Incident handling capability

CMA_C1367 - Implement Incident handling capability

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

08cf2974-d178-48a0-b26d-f6b8e555748b

Configure Function app slots to only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

096a7055-30cb-2db4-3fda-41b20ac72667

Require interconnection security agreements

CMA_C1151 - Require interconnection security agreements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

d7c1ecc3-2980-a079-1569-91aec8ac4a77

Conduct risk assessment and distribute its results

CMA_C1544 - Conduct risk assessment and distribute its results

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Storage

279052a0-8238-694d-9661-bf649f951747

Configure diagnostic settings for File Services to Log Analytics workspace

Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Identify contaminated systems and components

CMA_0300 - Identify contaminated systems and components

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

015b4935-448a-8684-27c0-d13086356c33

Implement a threat awareness program

CMA_C1758 - Implement a threat awareness program

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

6f311b49-9b0d-8c67-3d6e-db80ae528173

Bind authenticators and identities dynamically

CMA_0035 - Bind authenticators and identities dynamically

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

8b077bff-516f-3983-6c42-c86e9a11868b

Designate individuals to fulfill specific roles and responsibilities

CMA_C1747 - Designate individuals to fulfill specific roles and responsibilities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

2f7c08c2-f671-4282-9fdb-597b6ef2c10d

[Deprecated]: App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b9d45adb-471b-56a5-64d2-5b241f126174

Automate privacy controls

CMA_C1817 - Automate privacy controls

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

1e876c5c-0f2a-8eb6-69f7-5f91e7918ed6

Review development process, standards and tools

CMA_C1610 - Review development process, standards and tools

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

4d0bc837-6eff-477e-9ecd-33bf8d4212a5

App Service apps should use a SKU that supports private link

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (3.0.0 > 4.0.0)

2022-09-19 17:41:40

BuiltIn

App Service

Function apps should use an Azure file share for its content directory

The content directory of a Function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594.

Default
Audit
Allowed
Audit, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-19 17:41:40

BuiltIn

Kubernetes

6bededc0-2985-54d5-4158-eb8bad8070a0

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.0 > 5.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Review and update information integrity policies and procedures

CMA_C1667 - Review and update information integrity policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

1dbd51c2-2bd1-5e26-75ba-ed075d8f0d68

Conduct risk assessment and document its results

CMA_C1542 - Conduct risk assessment and document its results

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

3153d9c0-2584-14d3-362d-578b01358aeb

Retain training records

CMA_0456 - Retain training records

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

76d66b5c-85e4-93f5-96a5-ebb2fad61dc6

Terminate customer controlled account credentials

CMA_C1022 - Terminate customer controlled account credentials

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

3baee3fd-30f5-882c-018c-cc78703a0106

Employ independent assessors for continuous monitoring

CMA_C1168 - Employ independent assessors for continuous monitoring

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

c285a320-8830-4665-9cc7-bbd05fc7c5c0

App Service app slots should require FTPS only

Enable FTPS enforcement for enhanced security.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

c8aa992d-76b7-7ca0-07b3-31a58d773fa9

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.1 > 4.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Employ automated training environment

CMA_C1357 - Employ automated training environment

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

037c0089-6606-2dab-49ad-437005b5035f

Identify incident response personnel

CMA_0301 - Identify incident response personnel

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

e750ca06-1824-464a-2cf3-d0fa754d1cb4

Establish a secure software development program

CMA_0259 - Establish a secure software development program

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

91cf132e-0c9f-37a8-a523-dc6a92cd2fb2

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (7.0.0 > 8.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Review and update physical and environmental policies and procedures

CMA_C1446 - Review and update physical and environmental policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

e1379836-3492-6395-451d-2f5062e14136

Identify and authenticate non-organizational users

CMA_C1346 - Identify and authenticate non-organizational users

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

d25cbded-121e-0ed6-1857-dc698c9095b1

Take action in response to customer information

CMA_C1554 - Take action in response to customer information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

04837a26-2601-1982-3da7-bf463e6408f4

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (8.0.0 > 9.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Develop configuration management plan

CMA_C1232 - Develop configuration management plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

e29a8f1b-149b-2fa3-969d-ebee1baa9472

Assign an authorizing official (AO)

CMA_C1158 - Assign an authorizing official (AO)

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

d9edcea6-6cb8-0266-a48c-2061fbac4310

Plan for continuance of essential business functions

CMA_C1255 - Plan for continuance of essential business functions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

cc2f7339-2fac-1ea9-9ca3-cd530fbb0da2

Create alternative actions for identified anomalies

CMA_C1711 - Create alternative actions for identified anomalies

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

60442979-6333-85f0-84c5-b887bac67448

Evaluate alternate processing site capabilities

CMA_C1266 - Evaluate alternate processing site capabilities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

20762f1e-85fb-31b0-a600-e833633f10fe

Reveal error messages

CMA_C1725 - Reveal error messages

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

5f2e834d-7e40-a4d5-a216-e49b16955ccf

Establish requirements for internet service providers

CMA_0278 - Establish requirements for internet service providers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

e9c60c37-65b0-2d72-6c3c-af66036203ae

Review and update contingency planning policies and procedures

CMA_C1243 - Review and update contingency planning policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

dd6d00a8-701a-5935-a22b-c7b9c0c698b2

Isolate SecurID systems, Security Incident Management systems

CMA_C1636 - Isolate SecurID systems, Security Incident Management systems

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

bb048641-6017-7272-7772-a008f285a520

Develop spillage response procedures

CMA_0162 - Develop spillage response procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

10c3a1b1-29b0-a2d5-8f4c-a284b0f07830

Implement cryptographic mechanisms

CMA_C1419 - Implement cryptographic mechanisms

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

eb598832-4bcc-658d-4381-3ecbe17b9866

Provide timely maintenance support

CMA_C1425 - Provide timely maintenance support

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

098dcde7-016a-06c3-0985-0daaf3301d3a

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.2.1 > 7.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Distribute authenticators

CMA_0184 - Distribute authenticators

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

25a1f840-65d0-900a-43e4-bee253de04de

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Define requirements for managing assets

CMA_0125 - Define requirements for managing assets

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

ab02bb73-4ce1-89dd-3905-d93042809ba0

Align business objectives and IT goals

CMA_0008 - Align business objectives and IT goals

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

c7e8ddc1-14aa-1814-7fe1-aad1742b27da

Enforce expiration of cached authenticators

CMA_C1343 - Enforce expiration of cached authenticators

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

0dcbaf2f-075e-947b-8f4c-74ecc5cd302c

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.1 > 4.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Identify individuals with security roles and responsibilities

CMA_C1566 - Identify individuals with security roles and responsibilities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b7897ddc-9716-2460-96f7-7757ad038cc4

Assign risk designations

CMA_0016 - Assign risk designations

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

318b2bd9-9c39-9f8b-46a7-048401f33476

Address coding vulnerabilities

CMA_0003 - Address coding vulnerabilities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

0fd1ca29-677b-2f12-1879-639716459160

Maintain data breach records

CMA_0351 - Maintain data breach records

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

16c54e01-9e65-7524-7c33-beda48a75779

Produce, control and distribute symmetric cryptographic keys

CMA_C1645 - Produce, control and distribute symmetric cryptographic keys

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

1a2a03a4-9992-5788-5953-d8f6615306de

Govern policies and procedures

CMA_0292 - Govern policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

22c16ae4-19d0-29cb-422f-cb44061180ee

Disable user accounts posing a significant risk

CMA_C1026 - Disable user accounts posing a significant risk

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

21832235-7a07-61f4-530d-d596f76e5b95

Kubernetes cluster should not use naked pods

Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Implement security testing, training, and monitoring plans

CMA_C1753 - Implement security testing, training, and monitoring plans

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

0a412110-3874-9f22-187a-c7a81c8a6704

Establish alternate storage site to store and retrieve backup information

CMA_C1267 - Establish alternate storage site to store and retrieve backup information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

e54901fe-42c2-7f3b-3c5f-327aa5320a69

Automate information sharing decisions

CMA_0028 - Automate information sharing decisions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

245fe58b-96f8-9f1e-48c5-7f49903f66fd

Establish alternate storage site that facilitates recovery operations

CMA_C1270 - Establish alternate storage site that facilitates recovery operations

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

e4054c0e-1184-09e6-4c5e-701e0bc90f81

Report atypical behavior of user accounts

CMA_C1025 - Report atypical behavior of user accounts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

41172402-8d73-64c7-0921-909083c086b0

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.0.1 > 7.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Not allow for information systems to accompany with individuals

CMA_C1182 - Not allow for information systems to accompany with individuals

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

085467a6-9679-5c65-584a-f55acefd0d43

Require developers to implement only approved changes

CMA_C1596 - Require developers to implement only approved changes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

ced291b8-1d3d-7e27-40cf-829e9dd523c8

Review and update the information security architecture

CMA_C1504 - Review and update the information security architecture

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

3eabed6d-1912-2d3c-858b-f438d08d0412

Ensure external providers consistently meet interests of the customers

CMA_C1592 - Ensure external providers consistently meet interests of the customers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

00f12b6f-10d7-8117-9577-0f2b76488385

Integrate risk management process into SDLC

CMA_C1567 - Integrate risk management process into SDLC

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

2d2ca910-7957-23ee-2945-33f401606efc

Accept only FICAM-approved third-party credentials

CMA_C1348 - Accept only FICAM-approved third-party credentials

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

cae7c12e-764b-4c87-841a-fdc6675d196f

App Service app slots should not have CORS configured to allow every resource to access your apps

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

eb8a8df9-521f-3ccd-7e2c-3d1fcc812340

Review and update configuration management policies and procedures

CMA_C1175 - Review and update configuration management policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

5269d7e4-3768-501d-7e46-66c56c15622c

Manage contacts for authorities and special interest groups

CMA_0359 - Manage contacts for authorities and special interest groups

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

33d34fac-56a8-1c0f-0636-3ed94892a709

Govern the allocation of resources

CMA_0293 - Govern the allocation of resources

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

0065241c-72e9-3b2c-556f-75de66332a94

Establish parameters for searching secret authenticators and verifiers

CMA_0274 - Establish parameters for searching secret authenticators and verifiers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

396f465d-375e-57de-58ba-021adb008191

Invalidate session identifiers at logout

CMA_C1661 - Invalidate session identifiers at logout

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

eda0cbb7-6043-05bf-645b-67411f1a59b3

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.0.2 > 7.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Ensure there are no unencrypted static authenticators

CMA_C1340 - Ensure there are no unencrypted static authenticators

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

91a54089-2d69-0f56-62dc-b6371a1671c0

Resume all mission and business functions

CMA_C1254 - Resume all mission and business functions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

39999038-9ef1-602a-158c-ce2367185230

Define performance metrics

CMA_0124 - Define performance metrics

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

4b8fd5da-609b-33bf-9724-1c946285a14c

Notify Account Managers of customer controlled accounts

CMA_C1009 - Notify Account Managers of customer controlled accounts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

c3b3cc61-9c70-5d78-7f12-1aefcc477db7

Review security testing, training, and monitoring plans

CMA_C1754 - Review security testing, training, and monitoring plans

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

59f7feff-02aa-6539-2cf7-bea75b762140

Develop access control policies and procedures

CMA_0144 - Develop access control policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

f131c8c5-a54a-4888-1efc-158928924bc1

Require developers to build security architecture

CMA_C1612 - Require developers to build security architecture

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

cdcb825f-a0fb-31f9-29c1-ab566718499a

Publish Computer Matching Agreements on public website

CMA_C1829 - Publish Computer Matching Agreements on public website

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

1fdf0b24-4043-3c55-357e-036985d50b52

Ensure security safeguards not needed when the individuals return

CMA_C1183 - Ensure security safeguards not needed when the individuals return

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

898a5781-2254-5a37-34c7-d78ea7c20d55

Publish SORNs for systems containing PII

CMA_C1862 - Publish SORNs for systems containing PII

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

7ded6497-815d-6506-242b-e043e0273928

Plan for resumption of essential business functions

CMA_C1253 - Plan for resumption of essential business functions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

4c385143-09fd-3a34-790c-a5fd9ec77ddc

Provide role-based security training

CMA_C1094 - Provide role-based security training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

a28323fe-276d-3787-32d2-cef6395764c4

Kubernetes cluster Windows containers should not overcommit cpu and memory

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.2 > 2.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Develop audit and accountability policies and procedures

CMA_0154 - Develop audit and accountability policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

f7eb1d0b-6d4f-2d59-1591-7563e11a9313

Define and enforce conditions for shared and group accounts

CMA_0117 - Define and enforce conditions for shared and group accounts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

e1a09430-221d-4d4c-a337-1edb5a1fa9bb

Function app slots should require FTPS only

Enable FTPS enforcement for enhanced security.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

ca748dfe-3e28-1d18-4221-89aea30aa0a5

Identify status of individual users

CMA_C1316 - Identify status of individual users

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d

Configure App Service apps to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

cf9ca02d-383e-4506-a421-258cc1a5300d

[Deprecated]: Function app slots should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

f30edfad-4e1d-1eef-27ee-9292d6d89842

Perform security function verification at a defined frequency

CMA_C1709 - Perform security function verification at a defined frequency

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

0040d2e5-2779-170d-6a2c-1f5fca353335

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.0 > 6.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Restrict location of information processing, storage and services

CMA_C1593 - Restrict location of information processing, storage and services

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

6de65dc4-8b4f-34b7-9290-eb137a2e2929

Develop and document application security requirements

CMA_0148 - Develop and document application security requirements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

81b6267b-97a7-9aa5-51ee-d2584a160424

Create separate alternate and primary storage sites

CMA_C1269 - Create separate alternate and primary storage sites

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

834b7a4a-83ab-2188-1a26-9c5033d8173b

Incorporate security and data privacy practices in research processing

CMA_0331 - Incorporate security and data privacy practices in research processing

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

90a156a6-49ed-18d1-1052-69aac27c05cd

Kubernetes resources should have required annotations

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Allocate resources in determining information system requirements

CMA_C1561 - Allocate resources in determining information system requirements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

0716f0f5-4955-2ccb-8d5e-c6be14d57c0f

Ensure cluster containers have readiness or liveness probes configured

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Ensure resources are authorized

CMA_C1159 - Ensure resources are authorized

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

eff6e4a5-3efe-94dd-2ed1-25d56a019a82

Distribute policies and procedures

CMA_0185 - Distribute policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

de077e7e-0cc8-65a6-6e08-9ab46c827b05

Produce, control and distribute asymmetric cryptographic keys

CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b320aa42-33b4-53af-87ce-100091d48918

Document third-party personnel security requirements

CMA_C1531 - Document third-party personnel security requirements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

6baae474-434f-2e91-7163-a72df30c4847

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Manage security state of information systems

CMA_C1746 - Manage security state of information systems

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b65c5d8e-9043-9612-2c17-65f231d763bb

Employ independent assessors to conduct security control assessments

CMA_C1148 - Employ independent assessors to conduct security control assessments

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

b544f797-a73b-1be3-6d01-6b1a085376bc

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.0 > 6.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Establish information security workforce development and improvement program

CMA_C1752 - Establish information security workforce development and improvement program

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

a44c9fba-43f8-4b7b-7ee6-db52c96b4366

Facilitate information sharing

CMA_0284 - Facilitate information sharing

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b470a37a-7a47-3792-34dd-7a793140702e

Establish relationship between incident response capability and external providers

CMA_C1376 - Establish relationship between incident response capability and external providers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b8587fce-138f-86e8-33a3-c60768bf1da6

Automate remote maintenance activities

CMA_C1402 - Automate remote maintenance activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

d8350d4c-9314-400b-288f-20ddfce04fbd

Define and enforce the limit of concurrent sessions

CMA_C1050 - Define and enforce the limit of concurrent sessions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

874a6f2e-2098-53bc-3a16-20dcdc425a7e

Create configuration plan protection

CMA_C1233 - Create configuration plan protection

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

d136ae80-54dd-321c-98b4-17acf4af2169

Provide updated security awareness training

CMA_C1090 - Provide updated security awareness training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

53fc1282-0ee3-2764-1319-e20143bb0ea5

Review contingency plan

CMA_C1247 - Review contingency plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

2d14ff7e-6ff9-838c-0cde-4962ccdb1689

Employ business case to record the resources required

CMA_C1735 - Employ business case to record the resources required

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

14a4fd0a-9100-1e12-1362-792014a28155

Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.1.0 > 2.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Update contingency plan

CMA_C1248 - Update contingency plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

ef5a7059-6651-73b1-18b3-75b1b79c1565

Define information security roles and responsibilities

CMA_C1565 - Define information security roles and responsibilities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

dcbc65aa-59f3-4239-8978-3bb869d82604

App Service apps should use an Azure file share for its content directory

The content directory of an app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594.

Default
Audit
Allowed
Audit, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

55be3260-a7a2-3c06-7fe6-072d07525ab7

Accept PIV credentials

CMA_C1347 - Accept PIV credentials

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

ffea18d9-13de-6505-37f3-4c1f88070ad7

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.1 > 6.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Review cloud service provider's compliance with policies and agreements

CMA_0469 - Review cloud service provider's compliance with policies and agreements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

25a5046c-c423-4805-9235-e844ae9ef49b

Configure Function apps to turn off remote debugging

Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

de251b09-4a5e-1204-4bef-62ac58d47999

Adjust level of audit review, analysis, and reporting

CMA_C1123 - Adjust level of audit review, analysis, and reporting

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

f801d58e-5659-9a4a-6e8d-02c9334732e5

Restore resources to operational state

CMA_C1297 - Restore resources to operational state

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

3bd4e0af-7cbb-a3ec-4918-056a3c017ae2

Keep SORNs updated

CMA_C1863 - Keep SORNs updated

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

22a02c9a-49e4-5dc9-0d14-eb35ad717154

Obtain design and implementation information for the security controls

CMA_C1576 - Obtain design and implementation information for the security controls

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

311802f9-098d-0659-245a-94c5d47c0182

Employ boundary protection to isolate information systems

CMA_C1639 - Employ boundary protection to isolate information systems

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

a1a22235-dd10-4062-bd55-7d62778f41b0

Function app slots should not have CORS configured to allow every resource to access your apps

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

836f8406-3b8a-11bb-12cb-6c7fa0765668

Develop configuration item identification plan

CMA_C1231 - Develop configuration item identification plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

c6fe3856-4635-36b6-983c-070da12a953b

Implement the risk management strategy

CMA_C1744 - Implement the risk management strategy

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

4e400494-53a5-5147-6f4d-718b539c7394

Manage compliance activities

CMA_0358 - Manage compliance activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

7a114735-a420-057d-a651-9a73cd0416ef

Require developers to provide unified security protection approach

CMA_C1614 - Require developers to provide unified security protection approach

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

75b9db50-7906-2351-98ae-0458218609e5

Retain accounting of disclosures of information

CMA_C1819 - Retain accounting of disclosures of information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

ba99d512-3baa-1c38-8b0b-ae16bbd34274

Test contingency plan at an alternate processing location

CMA_C1265 - Test contingency plan at an alternate processing location

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

2f204e72-1896-3bf8-75c9-9128b8683a36

Reissue authenticators for changed groups and accounts

CMA_0426 - Reissue authenticators for changed groups and accounts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

c6aeb800-0b19-944d-92dc-59b893722329

Rescreen individuals at a defined frequency

CMA_C1512 - Rescreen individuals at a defined frequency

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

3e37c891-840c-3eb4-78d2-e2e0bb5063e0

Require developers to describe accurate security functionality

CMA_C1613 - Require developers to describe accurate security functionality

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

74041cfe-3f87-1d17-79ec-34ca5f895542

Function apps should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (3.0.0 > 4.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Produce complete records of remote maintenance activities

CMA_C1403 - Produce complete records of remote maintenance activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

e21f91d1-2803-0282-5f2d-26ebc4b170ef

Update organizational access agreements

CMA_0520 - Update organizational access agreements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

2e7a98c9-219f-0d58-38dc-d69038224442

Protect the information security program plan

CMA_C1732 - Protect the information security program plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

d9af7f88-686a-5a8b-704b-eafdab278977

Obtain legal opinion for monitoring system activities

CMA_C1688 - Obtain legal opinion for monitoring system activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (7.0.0 > 8.0.0)

2022-09-19 17:41:40

BuiltIn

App Service

Configure Function apps to use the latest TLS version

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Network

Configure network security groups to enable traffic analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2022-09-19 17:41:40

BuiltIn

Kubernetes

0471c6b7-1588-701c-2713-1fade73b75f6

Kubernetes cluster containers should only use allowed pull policy

Restrict containers' pull policy to enforce containers to use only allowed images on deployments

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Display an explicit logout message

CMA_C1056 - Display an explicit logout message

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

f8a63511-66f1-503f-196d-d6217ee0823a

Require developers to produce evidence of security assessment plan execution

CMA_C1602 - Require developers to produce evidence of security assessment plan execution

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

4012c2b7-4e0e-a7ab-1688-4aab43f14420

Map authenticated identities to individuals

CMA_0372 - Map authenticated identities to individuals

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b269a749-705e-8bff-055a-147744675cdf

Conduct backup of information system documentation

CMA_C1289 - Conduct backup of information system documentation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

80029bc5-834f-3a9c-a2d8-acbc1aab4e9f

Employ restrictions on external system interconnections

CMA_C1155 - Employ restrictions on external system interconnections

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

725164e5-3b21-1ec2-7e42-14f077862841

Require compliance with intellectual property rights

CMA_0432 - Require compliance with intellectual property rights

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b8689b2e-4308-a58b-a0b4-6f3343a000df

Use automated mechanisms for security alerts

CMA_C1707 - Use automated mechanisms for security alerts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

4e45863d-9ea9-32b4-a204-2680bc6007a6

Require external service providers to comply with security requirements

CMA_C1586 - Require external service providers to comply with security requirements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

03d550b4-34ee-03f4-515f-f2e2faf7a413

Review access control policies and procedures

CMA_0457 - Review access control policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

d48a6f19-a284-6fc6-0623-3367a74d3f50

Update interconnection security agreements

CMA_0519 - Update interconnection security agreements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

cb8841d4-9d13-7292-1d06-ba4d68384681

Perform a business impact assessment and application criticality assessment

CMA_0386 - Perform a business impact assessment and application criticality assessment

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (7.0.1 > 8.0.0)

2022-09-19 17:41:40

BuiltIn

Kubernetes

8b333332-6efd-7c0d-5a9f-d1eb95105214

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.2 > 6.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Employ FIPS 201-approved technology for PIV

CMA_C1579 - Employ FIPS 201-approved technology for PIV

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

8e920169-739d-40b5-3f99-c4d855327bb2

Prohibit binary/machine-executable code

CMA_C1717 - Prohibit binary/machine-executable code

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

729c8708-2bec-093c-8427-2e87d2cd426d

Automate notification of employee termination

CMA_C1521 - Automate notification of employee termination

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

4edaca8c-0912-1ac5-9eaa-6a1057740fae

Provide capability to disconnect or disable remote access

CMA_C1066 - Provide capability to disconnect or disable remote access

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

171e377b-5224-4a97-1eaa-62a3b5231dac

Generate internal security alerts

CMA_C1704 - Generate internal security alerts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

09960521-759e-5d12-086f-4192a72a5e92

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Protect administrator and user documentation

CMA_C1583 - Protect administrator and user documentation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Storage

94c842e3-8098-38f9-6d3f-8872b790527d

Configure diagnostic settings for Blob Services to Log Analytics workspace

Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Remove or redact any PII

CMA_C1833 - Remove or redact any PII

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

bfc540fe-376c-2eef-4355-121312fa4437

Maintain separate execution domains for running processes

CMA_C1665 - Maintain separate execution domains for running processes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

bbb2e6d6-085f-5a35-a55d-e45daad38933

Provide secure name and address resolution services

CMA_0416 - Provide secure name and address resolution services

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

464a7d7a-2358-4869-0b49-6d582ca21292

Ensure capital planning and investment requests include necessary resources

CMA_C1734 - Ensure capital planning and investment requests include necessary resources

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b7306e73-0494-83a2-31f5-280e934a8f70

Develop and document a DDoS response plan

CMA_0147 - Develop and document a DDoS response plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

f49925aa-9b11-76ae-10e2-6e973cc60f37

Review and update system and services acquisition policies and procedures

CMA_C1560 - Review and update system and services acquisition policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

adf517f3-6dcd-3546-9928-34777d0c277e

Review and update system and communications protection policies and procedures

CMA_C1616 - Review and update system and communications protection policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

75b42dcf-7840-1271-260b-852273d7906e

Develop contingency planning policies and procedures

CMA_0156 - Develop contingency planning policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

bd6cbcba-4a2d-507c-53e3-296b5c238a8e

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (8.0.0 > 9.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Develop and document a business continuity and disaster recovery plan

CMA_0146 - Develop and document a business continuity and disaster recovery plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

28aa060e-25c7-6121-05d8-a846f11433df

Review and update planning policies and procedures

CMA_C1491 - Review and update planning policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

a1334a65-2622-28ee-5067-9d7f5b915cc5

Communicate contingency plan changes

CMA_C1249 - Communicate contingency plan changes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

96333008-988d-4add-549b-92b3a8c42063

Update privacy plan, policies, and procedures

CMA_C1807 - Update privacy plan, policies, and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

20012034-96f0-85c2-4a86-1ae1eb457802

Review and update risk assessment policies and procedures

CMA_C1537 - Review and update risk assessment policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71

Function app slots should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

3054c74b-9b45-2581-56cf-053a1a716c39

Accept assessment results

CMA_C1150 - Accept assessment results

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

12af7c7a-92af-9e96-0d0c-5e732d1a3751

Ensure information system fails in known state

CMA_C1662 - Ensure information system fails in known state

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

3eecf628-a1c8-1b48-1b5c-7ca781e97970

Specify permitted actions associated with customer audit information

CMA_C1122 - Specify permitted actions associated with customer audit information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

77cc89bb-774f-48d7-8a84-fb8c322c3000

Track software license usage

CMA_C1235 - Track software license usage

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

ca6d7878-3189-1833-4620-6c7254ed1607

Obtain continuous monitoring plan for security controls

CMA_C1577 - Obtain continuous monitoring plan for security controls

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

7b28ba4f-0a87-46ac-62e1-46b7c09202a8

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Monitor account activity

CMA_0377 - Monitor account activity

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

84a01872-5318-049e-061e-d56734183e84

Distribute information system documentation

CMA_C1584 - Distribute information system documentation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

6c79c3e5-5f7b-a48a-5c7b-8c158bc01115

Ensure security categorization is approved

CMA_C1540 - Ensure security categorization is approved

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

44b71aa8-099d-8b97-1557-0e853ec38e0d

Obtain functional properties of security controls

CMA_C1575 - Obtain functional properties of security controls

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

676c3c35-3c36-612c-9523-36d266a65000

Require developers to provide training

CMA_C1611 - Require developers to provide training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b4e19d22-8c0e-7cad-3219-c84c62dc250f

Review and update media protection policies and procedures

CMA_C1427 - Review and update media protection policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

dc7ec756-221c-33c8-0afe-c48e10e42321

Verify security controls for external information systems

CMA_0541 - Verify security controls for external information systems

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

df54d34f-65f3-39f1-103c-a0464b8615df

Manage transfers between standby and active system components

CMA_0371 - Manage transfers between standby and active system components

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

f6794ab8-9a7d-3b24-76ab-265d3646232b

Provide role-based training on suspicious activities

CMA_C1097 - Provide role-based training on suspicious activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

24b7a1c6-44fe-40cc-a2e6-242d2ef70e98

App Service app slots should be injected into a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

27ce30dd-3d56-8b54-6144-e26d9a37a541

Ensure audit records are not altered

CMA_C1125 - Ensure audit records are not altered

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

5bac5fb7-7735-357b-767d-02264bfe5c3b

Perform all non-local maintenance

CMA_C1417 - Perform all non-local maintenance

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

dd2523d5-2db3-642b-a1cf-83ac973b32c2

Establish benchmarks for flaw remediation

CMA_C1675 - Establish benchmarks for flaw remediation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

178c8b7e-1b6e-4289-44dd-2f1526b678a1

Ensure alternate storage site safeguards are equivalent to primary site

CMA_C1268 - Ensure alternate storage site safeguards are equivalent to primary site

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

db580551-0b3c-4ea1-8a4c-4cdb5feb340f

Provide the logout capability

CMA_C1055 - Provide the logout capability

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

68d2e478-3b19-23eb-1357-31b296547457

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.0 > 6.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Enforce software execution privileges

CMA_C1041 - Enforce software execution privileges

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Storage

c981fa70-2e58-8141-1457-e7f62ebc2ade

Configure diagnostic settings for Storage Accounts to Log Analytics workspace

Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Document organizational access agreements

CMA_0192 - Document organizational access agreements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

f3c17714-8ce7-357f-4af2-a0baa63a063f

Make SORNs available publicly

CMA_C1865 - Make SORNs available publicly

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

8f835d6a-4d13-9a9c-37dc-176cebd37fda

Document wireless access security controls

CMA_C1695 - Document wireless access security controls

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

e7589f4e-1e8b-72c2-3692-1e14d7f3699f

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.1 > 6.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Ensure access agreements are signed or resigned timely

CMA_C1528 - Ensure access agreements are signed or resigned timely

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

be1c34ab-295a-07a6-785c-36f63c1d223e

Obtain user security function documentation

CMA_C1581 - Obtain user security function documentation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

18e9d748-73d4-0c96-55ab-b108bfbd5bc3

Notify personnel of any failed security verification tests

CMA_C1710 - Notify personnel of any failed security verification tests

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

611ebc63-8600-50b6-a0e3-fef272457132

Employ independent team for penetration testing

CMA_C1171 - Employ independent team for penetration testing

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

29acfac0-4bb4-121b-8283-8943198b1549

Review and update identification and authentication policies and procedures

CMA_C1299 - Review and update identification and authentication policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

bf883b14-9c19-0f37-8825-5e39a8b66d5b

Perform threat modeling

CMA_0392 - Perform threat modeling

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

3f1216b0-30ee-1ac9-3899-63eb744e85f5

Obtain Admin documentation

CMA_C1580 - Obtain Admin documentation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

524e7136-9f6a-75ba-9089-501018151346

Document security and privacy training activities

CMA_0198 - Document security and privacy training activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

92b94485-1c49-3350-9ada-dffe94f08e87

Obtain approvals for acquisitions and outsourcing

CMA_C1590 - Obtain approvals for acquisitions and outsourcing

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

db8b35d6-8adb-3f51-44ff-c648ab5b1530

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.0 > 5.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Employ FICAM-approved resources to accept third-party credentials

CMA_C1349 - Employ FICAM-approved resources to accept third-party credentials

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

b2c723e8-a1a0-8e38-5cf1-f5a20ffe4f51

Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit

Default
Audit
Allowed
Audit, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Publish access procedures in SORNs

CMA_C1848 - Publish access procedures in SORNs

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

57adc919-9dca-817c-8197-64d812070316

Develop an enterprise architecture

CMA_C1741 - Develop an enterprise architecture

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

2067b904-9552-3259-0cdd-84468e284b7c

Review and update system maintenance policies and procedures

CMA_C1395 - Review and update system maintenance policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

b33d61c1-7463-7025-0ec0-a47585b59147

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.1 > 7.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Require developers to manage change integrity

CMA_C1595 - Require developers to manage change integrity

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

d200f199-69f4-95a6-90b0-37ff0cf1040c

Provide the capability to extend or limit auditing on customer-deployed resources

CMA_C1141 - Provide the capability to extend or limit auditing on customer-deployed resources

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

e7422f08-65b4-50e4-3779-d793156e0079

Develop a concept of operations (CONOPS)

CMA_0141 - Develop a concept of operations (CONOPS)

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

3af53f59-979f-24a8-540f-d7cdbc366607

Require users to sign access agreement

CMA_0440 - Require users to sign access agreement

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

ff136354-1c92-76dc-2dab-80fb7c6a9f1a

Observe and report security weaknesses

CMA_0384 - Observe and report security weaknesses

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.0.2 > 7.0.0)

2022-09-19 17:41:40

BuiltIn

Kubernetes

a8df9c78-4044-98be-2c05-31a315ac8957

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (8.0.0 > 9.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Conform to FICAM-issued profiles

CMA_C1350 - Conform to FICAM-issued profiles

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

a30bd8e9-7064-312a-0e1f-e1b485d59f6e

Review exploit protection events

CMA_0472 - Review exploit protection events

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

13939f8c-4cd5-a6db-9af4-9dfec35e3722

Identify and mitigate potential issues at alternate storage site

CMA_C1271 - Identify and mitigate potential issues at alternate storage site

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

1fdeb7c4-4c93-8271-a135-17ebe85f1cc7

Incorporate simulated events into incident response training

CMA_C1356 - Incorporate simulated events into incident response training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

92a7591f-73b3-1173-a09c-a08882d84c70

Identify actions allowed without authentication

CMA_0295 - Identify actions allowed without authentication

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab

Check for privacy and security compliance before establishing internal connections

CMA_0053 - Check for privacy and security compliance before establishing internal connections

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

fd34e936-069e-4fe5-bac6-f7c9824caab6

App Service app slots should use an Azure file share for its content directory

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

App Service

449ebb52-945b-36e5-3446-af6f33770f8f

App Service apps should be injected into a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Update the security authorization

CMA_C1160 - Update the security authorization

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

edcc36f1-511b-81e0-7125-abee29752fe7

Manage availability and capacity

CMA_0356 - Manage availability and capacity

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

afd5d60a-48d2-8073-1ec2-6687e22f2ddd

Require notification of third-party personnel transfer or termination

CMA_C1532 - Require notification of third-party personnel transfer or termination

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

ff1efad2-6b09-54cc-01bf-d386c4d558a8

Secure the interface to external systems

CMA_0491 - Secure the interface to external systems

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Storage

3a868d0c-538f-968b-0191-bddb44da5b75

Configure diagnostic settings for Queue Services to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Require developers to document approved changes and potential impact

CMA_C1597 - Require developers to document approved changes and potential impact

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

83eea3d3-0d2c-9ccd-1021-2111b29b2a62

Ensure system capable of dynamic isolation of resources

CMA_C1638 - Ensure system capable of dynamic isolation of resources

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

cf79f602-1e60-5423-6c0c-e632c2ea1fc0

Implement controls to protect PII

CMA_C1839 - Implement controls to protect PII

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

2af4640d-11a6-a64b-5ceb-a468f4341c0c

Define and enforce inactivity log policy

CMA_C1017 - Define and enforce inactivity log policy

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

cbfa1bd0-714d-8d6f-0480-2ad6a53972df

Define and document government oversight

CMA_C1587 - Define and document government oversight

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

f6da5cca-5795-60ff-49e1-4972567815fe

Require developer to identify SDLC ports, protocols, and services

CMA_C1578 - Require developer to identify SDLC ports, protocols, and services

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

ced727b3-005e-3c5b-5cd5-230b79d56ee8

Implement a fault tolerant name/address service

CMA_0305 - Implement a fault tolerant name/address service

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Storage

9c954fcf-6dd8-81f1-41b5-832ae5c62caf

Configure diagnostic settings for Table Services to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

Incorporate simulated contingency training

CMA_C1260 - Incorporate simulated contingency training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

1b8a7ec3-11cc-a2d3-8cd0-eedf074424a4

Employ automatic shutdown/restart when violations are detected

CMA_C1715 - Employ automatic shutdown/restart when violations are detected

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

69d90ee6-9f9f-262a-2038-d909fb4e5723

Identify spilled information

CMA_0303 - Identify spilled information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

22457e81-3ec6-5271-a786-c3ca284601dd

Isolate information spills

CMA_0346 - Isolate information spills

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

7fc1f0da-0050-19bb-3d75-81ae15940df6

Provide monitoring information as needed

CMA_C1689 - Provide monitoring information as needed

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

13bcff5d-f0eb-4ce7-913e-83ad6300376b

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (7.0.0 > 8.0.0)

2022-09-19 17:41:40

BuiltIn

App Service

Function app slots should use an Azure file share for its content directory

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

82bd024a-5c99-05d6-96ff-01f539676a1a

Monitor security and privacy training completion

CMA_0379 - Monitor security and privacy training completion

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Kubernetes

a096cbd0-4693-432f-9374-682f485f23f3

Kubernetes cluster Windows containers should only run with approved user and domain user group

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-09-19 17:41:40

BuiltIn

App Service

Configure Function apps to only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

a90c4d44-7fac-8e02-6d5b-0d92046b20e6

Automate flaw remediation

CMA_0027 - Automate flaw remediation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

677e1da4-00c3-287a-563d-f4a1cf9b99a0

Conduct Risk Assessment

CMA_C1543 - Conduct Risk Assessment

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

08c11b48-8745-034d-1c1b-a144feec73b9

Restrict use of open source software

CMA_C1237 - Restrict use of open source software

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

8c44a0ea-9b09-4d9c-0e91-f9bee3d05bfb

Document customer-defined actions

CMA_C1582 - Document customer-defined actions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

70057208-70cc-7b31-3c3a-121af6bc1966

Secure commitment from leadership

CMA_0489 - Secure commitment from leadership

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

b262e1dd-08e9-41d4-963a-258909ad794b

Implement managed interface for each external service

CMA_C1626 - Implement managed interface for each external service

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-19 17:41:40

BuiltIn

Regulatory Compliance

d02498e0-8a6f-6b02-8332-19adf6711d1e

Develop organization code of conduct policy

CMA_0159 - Develop organization code of conduct policy

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

13efd2d7-3980-a2a4-39d0-527180c009e8

Document security assurance requirements in acquisition contracts

CMA_0199 - Document security assurance requirements in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

37dbe3dc-0e9c-24fa-36f2-11197cbfa207

Ensure authorized users protect provided authenticators

CMA_C1339 - Ensure authorized users protect provided authenticators

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

d78f95ba-870a-a500-6104-8a5ce2534f19

Document protection of security information in acquisition contracts

CMA_0195 - Document protection of security information in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

0a24f5dc-8c40-94a7-7aee-bb7cd4781d37

Issue guidelines for ensuring data quality and integrity

CMA_C1824 - Issue guidelines for ensuring data quality and integrity

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

5b802722-71dd-a13d-2e7e-231e09589efb

Implement privileged access for executing vulnerability scanning activities

CMA_C1555 - Implement privileged access for executing vulnerability scanning activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

d93fe1be-13e4-421d-9c21-3158e2fa2667

Implement plans of action and milestones for security program process

CMA_C1737 - Implement plans of action and milestones for security program process

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Monitoring

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2022-09-13 16:35:29

BuiltIn

Monitoring

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2022-09-13 16:35:29

BuiltIn

Monitoring

6228396e-2ace-7ca5-3247-45767dbf52f4

[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs

Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location.

Default
Modify
Allowed
Modify, Disabled

count: 003
•Managed Identity Contributor
•Managed Identity Operator
•Virtual Machine Contributor

change

Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

Notify personnel upon sanctions

CMA_0380 - Notify personnel upon sanctions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Synapse

1e5ed725-f16c-478b-bd4b-7bfa2f7940b9

Configure Azure Synapse workspaces to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8aec4343-9153-9641-172c-defb201f56b3

Review cloud identity report overview

CMA_0468 - Review cloud identity report overview

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

98145a9b-428a-7e81-9d14-ebb154a24f93

View and investigate restricted users

CMA_0545 - View and investigate restricted users

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

37b0045b-3887-367b-8b4d-b9a6fa911bb9

Assess information security events

CMA_0013 - Assess information security events

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

d42a8f69-a193-6cbc-48b9-04a9e29961f1

Protect wireless access

CMA_0411 - Protect wireless access

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b6b32f80-a133-7600-301e-398d688e7e0c

Evaluate and review PII holdings regularly

CMA_C1832 - Evaluate and review PII holdings regularly

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

f27a298f-9443-014a-0d40-fef12adf0259

Review administrator assignments weekly

CMA_0461 - Review administrator assignments weekly

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

496b407d-9b9e-81e8-4ba4-44bc686b016a

Conduct exit interview upon termination

CMA_0058 - Conduct exit interview upon termination

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

9b55929b-0101-47c0-a16e-d6ac5c7d21f8

Undergo independent security review

CMA_0515 - Undergo independent security review

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

36b74844-4a99-4c80-1800-b18a516d1585

Control use of portable storage devices

CMA_0083 - Control use of portable storage devices

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8747b573-8294-86a0-8914-49e9b06a5ace

Establish configuration management requirements for developers

CMA_0270 - Establish configuration management requirements for developers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

477bd136-7dd9-55f8-48ac-bae096b86a07

Develop POA&M

CMA_C1156 - Develop POA&M

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

08ad71d0-52be-6503-4908-e015460a16ae

Require use of individual authenticators

CMA_C1305 - Require use of individual authenticators

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

1fb1cb0e-1936-6f32-42fd-89970b535855

Manage nonlocal maintenance and diagnostic activities

CMA_0364 - Manage nonlocal maintenance and diagnostic activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2022-09-13 16:35:29

BuiltIn

Monitoring

1cb7bf71-841c-4741-438a-67c65fdd7194

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

Provide security training for new users

CMA_0419 - Provide security training for new users

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

60ee1260-97f0-61bb-8155-5d8b75743655

Separate duties of individuals

CMA_0492 - Separate duties of individuals

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8e49107c-3338-40d1-02aa-d524178a2afe

Deliver security assessment results

CMA_C1147 - Deliver security assessment results

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

623b5f0a-8cbd-03a6-4892-201d27302f0c

Define information system account types

CMA_0121 - Define information system account types

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

cc057769-01d9-95ad-a36f-1e62a7f9540b

Update POA&M items

CMA_C1157 - Update POA&M items

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

df2e9507-169b-4114-3a52-877561ee3198

Implement security engineering principles of information systems

CMA_0325 - Implement security engineering principles of information systems

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

eaaae23f-92c9-4460-51cf-913feaea4d52

Employ a media sanitization mechanism

CMA_0208 - Employ a media sanitization mechanism

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

f2222056-062d-1060-6dc2-0107a68c34b2

Manage a secure surveillance camera system

CMA_0354 - Manage a secure surveillance camera system

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

d041726f-00e0-41ca-368c-b1a122066482

Provide role-based practical exercises

CMA_C1096 - Provide role-based practical exercises

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

1c258345-5cd4-30c8-9ef3-5ee4dd5231d6

Develop security assessment plan

CMA_C1144 - Develop security assessment plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

271a3e58-1b38-933d-74c9-a580006b80aa

Document personnel acceptance of privacy requirements

CMA_0193 - Document personnel acceptance of privacy requirements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

67ada943-8539-083d-35d0-7af648974125

Determine supplier contract obligations

CMA_0140 - Determine supplier contract obligations

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

5fe84a4c-1b0c-a738-2aba-ed49c9069d3b

Prohibit unfair practices

CMA_0396 - Prohibit unfair practices

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8cd815bf-97e1-5144-0735-11f6ddb50a59

Enforce and audit access restrictions

CMA_C1203 - Enforce and audit access restrictions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

1afada58-8b34-7ac2-a38a-983218635201

Define acceptable and unacceptable mobile code technologies

CMA_C1651 - Define acceptable and unacceptable mobile code technologies

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

27ab3ac0-910d-724d-0afa-1a2a01e996c0

Respond to rectification requests

CMA_0442 - Respond to rectification requests

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

7d10debd-4775-85a7-1a41-7e128e0e8c50

Automate process to prohibit implementation of unapproved changes

CMA_C1194 - Automate process to prohibit implementation of unapproved changes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

6abdf7c7-362b-3f35-099e-533ed50988f9

Assign information security representative to change control

CMA_C1198 - Assign information security representative to change control

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e

Implement methods for consumer requests

CMA_0319 - Implement methods for consumer requests

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

35de8462-03ff-45b3-5746-9d4603c74c56

Implement an insider threat program

CMA_C1751 - Implement an insider threat program

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

97cfd944-6f0c-7db2-3796-8e890ef70819

Establish conditions for role membership

CMA_0269 - Establish conditions for role membership

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b2ea1058-8998-3dd1-84f1-82132ad482fd

Develop and establish a system security plan

CMA_0151 - Develop and establish a system security plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

dbcef108-7a04-38f5-8609-99da110a2a57

Determine information protection needs

CMA_C1750 - Determine information protection needs

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

979ed3b6-83f9-26bc-4b86-5b05464700bf

Modify access authorizations upon personnel transfer

CMA_0374 - Modify access authorizations upon personnel transfer

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

6610f662-37e9-2f71-65be-502bdc2f554d

Update rules of behavior and access agreements

CMA_0521 - Update rules of behavior and access agreements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

21633c09-804e-7fcd-78e3-635c6bfe2be7

Provide capability to process customer-controlled audit records

CMA_C1126 - Provide capability to process customer-controlled audit records

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c6b877a6-5d6d-1862-4b7f-3ccc30b25b63

Verify personal data is deleted at the end of processing

CMA_0540 - Verify personal data is deleted at the end of processing

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

516be556-1353-080d-2c2f-f46f000d5785

Provide periodic security awareness training

CMA_C1091 - Provide periodic security awareness training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

ad1d562b-a04b-15d3-6770-ed310b601cb5

Publish rules and regulations accessing Privacy Act records

CMA_C1847 - Publish rules and regulations accessing Privacy Act records

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

1beb1269-62ee-32cd-21ad-43d6c9750eb6

Ensure privacy program information is publicly available

CMA_C1867 - Ensure privacy program information is publicly available

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

0d04cb93-a0f1-2f4b-4b1b-a72a1b510d08

Assess risk in third party relationships

CMA_0014 - Assess risk in third party relationships

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

54a9c072-4a93-2a03-6a43-a060d30383d7

Eradicate contaminated information

CMA_0253 - Eradicate contaminated information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

7bdb79ea-16b8-453e-4ca4-ad5b16012414

Transfer backup information to an alternate storage site

CMA_C1294 - Transfer backup information to an alternate storage site

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

f9ec3263-9562-1768-65a1-729793635a8d

Document protection of personal data in acquisition contracts

CMA_0194 - Document protection of personal data in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

58a51cde-008b-1a5d-61b5-d95849770677

Test the business continuity and disaster recovery plan

CMA_0509 - Test the business continuity and disaster recovery plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c7d57a6a-7cc2-66c0-299f-83bf90558f5d

Enforce random unique session identifiers

CMA_0247 - Enforce random unique session identifiers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

70a7a065-a060-85f8-7863-eb7850ed2af9

Produce Security Assessment report

CMA_C1146 - Produce Security Assessment report

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

7ad83b58-2042-085d-08f0-13e946f26f89

Update rules of behavior and access agreements every 3 years

CMA_0522 - Update rules of behavior and access agreements every 3 years

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

341bc9f1-7489-07d9-4ec6-971573e1546a

Define access authorizations to support separation of duties

CMA_0116 - Define access authorizations to support separation of duties

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

27965e62-141f-8cca-426f-d09514ee5216

Establish and maintain an asset inventory

CMA_0266 - Establish and maintain an asset inventory

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b5244f81-6cab-3188-2412-179162294996

Review publicly accessible content for nonpublic information

CMA_C1086 - Review publicly accessible content for nonpublic information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

9fdde4a9-85fa-7850-6df4-ae9c4a2e56f9

Integrate cloud app security with a siem

CMA_0340 - Integrate cloud app security with a siem

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

ee67c031-57fc-53d0-0cca-96c4c04345e8

Document and distribute a privacy policy

CMA_0188 - Document and distribute a privacy policy

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

fc26e2fd-3149-74b4-5988-d64bb90f8ef7

Separately store backup information

CMA_C1293 - Separately store backup information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

05ec66a2-137c-14b8-8e75-3d7a2bef07f8

Implement physical security for offices, working areas, and secure areas

CMA_0323 - Implement physical security for offices, working areas, and secure areas

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Monitoring

b8a9bb2f-7290-3259-85ce-dca7d521302d

Linux virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

Initiate transfer or reassignment actions

CMA_0333 - Initiate transfer or reassignment actions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

0ba211ef-0e85-2a45-17fc-401d1b3f8f85

Document requirements for the use of shared data in contracts

CMA_0197 - Document requirements for the use of shared data in contracts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8c255136-994b-9616-79f5-ae87810e0dcf

Enable network protection

CMA_0238 - Enable network protection

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

043c1e56-5a16-52f8-6af8-583098ff3e60

Create a data inventory

CMA_0096 - Create a data inventory

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

f78fc35e-1268-0bca-a798-afcba9d2330a

Select additional testing for security control assessments

CMA_C1149 - Select additional testing for security control assessments

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b273f1e3-79e7-13ee-5b5d-dca6c66c3d5d

Manage maintenance personnel

CMA_C1421 - Manage maintenance personnel

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

e89436d8-6a93-3b62-4444-1d2a42ad56b2

Reevaluate access upon personnel transfer

CMA_0424 - Reevaluate access upon personnel transfer

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

fe2dff43-0a8c-95df-0432-cb1c794b17d0

Notify users of system logon or access

CMA_0382 - Notify users of system logon or access

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

6f3866e8-6e12-69cf-788c-809d426094a1

Establish electronic signature and certificate requirements

CMA_0271 - Establish electronic signature and certificate requirements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

3881168c-5d38-6f04-61cc-b5d87b2c4c58

Establish third-party personnel security requirements

CMA_C1529 - Establish third-party personnel security requirements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

9e3c505e-7aeb-2096-3417-b132242731fc

Review content prior to posting publicly accessible information

CMA_C1085 - Review content prior to posting publicly accessible information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c72fc0c8-2df8-7506-30be-6ba1971747e1

Automate implementation of approved change notifications

CMA_C1196 - Automate implementation of approved change notifications

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

97f0d974-1486-01e2-2088-b888f46c0589

Train personnel on disclosure of nonpublic information

CMA_C1084 - Train personnel on disclosure of nonpublic information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

34738025-5925-51f9-1081-f2d0060133ed

Information security and personal data protection

CMA_0332 - Information security and personal data protection

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

6ab47bbf-867e-9113-7998-89b58f77326a

Respond to complaints, concerns, or questions timely

CMA_C1853 - Respond to complaints, concerns, or questions timely

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

2927e340-60e4-43ad-6b5f-7a1468232cc2

Configure detection whitelist

CMA_0068 - Configure detection whitelist

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Monitoring

06f84330-4c27-21f7-72cd-7488afd50244

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (4.0.0 > 5.0.0)

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

Implement privacy notice delivery methods

CMA_0324 - Implement privacy notice delivery methods

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

4f23967c-a74b-9a09-9dc2-f566f61a87b9

Establish backup policies and procedures

CMA_0268 - Establish backup policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b8972f60-8d77-1cb8-686f-9c9f4cdd8a59

Use dedicated machines for administrative tasks

CMA_0527 - Use dedicated machines for administrative tasks

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

1e0d5ba8-a433-01aa-829c-86b06c9631ec

Include dynamic reconfig of customer deployed resources

CMA_C1364 - Include dynamic reconfig of customer deployed resources

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

04b3e7f6-4841-888d-4799-cda19a0084f6

Document and implement wireless access guidelines

CMA_0190 - Document and implement wireless access guidelines

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

bab9ef1d-a16d-421a-822d-3fa94e808156

Route traffic through managed network access points

CMA_0484 - Route traffic through managed network access points

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b5a4be05-3997-1731-3260-98be653610f6

Perform disposition review

CMA_0391 - Perform disposition review

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

575ed5e8-4c29-99d0-0e4d-689fb1d29827

Automate approval request for proposed changes

CMA_C1192 - Automate approval request for proposed changes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

39eb03c1-97cc-11ab-0960-6209ed2869f7

Establish a privacy program

CMA_0257 - Establish a privacy program

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

ebb0ba89-6d8c-84a7-252b-7393881e43de

Document security strength requirements in acquisition contracts

CMA_0203 - Document security strength requirements in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

964b340a-43a4-4798-2af5-7aedf6cb001b

Collect PII directly from the individual

CMA_C1822 - Collect PII directly from the individual

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

426c172c-9914-10d1-25dd-669641fc1af4

Enable detection of network devices

CMA_0220 - Enable detection of network devices

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

5226dee6-3420-711b-4709-8e675ebd828f

Update information security policies

CMA_0518 - Update information security policies

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c5784049-959f-6067-420c-f4cefae93076

Coordinate contingency plans with related plans

CMA_0086 - Coordinate contingency plans with related plans

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

1ff03f2a-974b-3272-34f2-f6cd51420b30

Obscure feedback information during authentication process

CMA_C1344 - Obscure feedback information during authentication process

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c246d146-82b0-301f-32e7-1065dcd248b7

Review changes for any unauthorized changes

CMA_C1204 - Review changes for any unauthorized changes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c148208b-1a6f-a4ac-7abc-23b1d41121b1

Document the information system environment in acquisition contracts

CMA_0205 - Document the information system environment in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

a465e8e9-0095-85cb-a05f-1dd4960d02af

Document security documentation requirements in acquisition contract

CMA_0200 - Document security documentation requirements in acquisition contract

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

214ea241-010d-8926-44cc-b90a96d52adc

Compile Audit records into system wide audit

CMA_C1140 - Compile Audit records into system wide audit

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8019d788-713d-90a1-5570-dac5052f517d

Train staff on PII sharing and its consequences

CMA_C1871 - Train staff on PII sharing and its consequences

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

07b42fb5-027e-5a3c-4915-9d9ef3020ec7

Discover any indicators of compromise

CMA_C1702 - Discover any indicators of compromise

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b28c8687-4bbd-8614-0b96-cdffa1ac6d9c

Review and update incident response policies and procedures

CMA_C1352 - Review and update incident response policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

069101ac-4578-31da-0cd4-ff083edd3eb4

Obtain consent prior to collection or processing of personal data

CMA_0385 - Obtain consent prior to collection or processing of personal data

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

eab4450d-9e5c-4f38-0656-2ff8c78c83f3

Document and implement privacy complaint procedures

CMA_0189 - Document and implement privacy complaint procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

5020f3f4-a579-2f28-72a8-283c5a0b15f9

Restrict communications

CMA_0449 - Restrict communications

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

29363ae1-68cd-01ca-799d-92c9197c8404

Manage authenticator lifetime and reuse

CMA_0355 - Manage authenticator lifetime and reuse

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

f741c4e6-41eb-15a4-25a2-61ac7ca232f0

Integrate audit review, analysis, and reporting

CMA_0339 - Integrate audit review, analysis, and reporting

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8b1da407-5e60-5037-612e-2caa1b590719

Record disclosures of PII to third parties

CMA_0422 - Record disclosures of PII to third parties

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

f33c3238-11d2-508c-877c-4262ec1132e1

Recover and reconstitute resources after any disruption

CMA_C1295 - Recover and reconstitute resources after any disruption

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

57927290-8000-59bf-3776-90c468ac5b4b

Document security functional requirements in acquisition contracts

CMA_0201 - Document security functional requirements in acquisition contracts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

85335602-93f5-7730-830b-d43426fd51fa

Integrate Audit record analysis

CMA_C1120 - Integrate Audit record analysis

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

01c387ea-383d-4ca9-295a-977fab516b03

Authorize remote access to privileged commands

CMA_C1064 - Authorize remote access to privileged commands

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

52375c01-4d4c-7acc-3aa4-5b3d53a047ec

Define the duties of processors

CMA_0127 - Define the duties of processors

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

509552f5-6528-3540-7959-fbeae4832533

Enforce rules of behavior and access agreements

CMA_0248 - Enforce rules of behavior and access agreements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c6cf9f2c-5fd8-3f16-a1f1-f0b69c904928

Appoint a senior information security officer

CMA_C1733 - Appoint a senior information security officer

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

d8bbd80e-3bb1-5983-06c2-428526ec6a63

Establish a password policy

CMA_0256 - Establish a password policy

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Monitoring

5715bf33-a5bd-1084-4e19-bc3c83ec1c35

Linux virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

Establish terms and conditions for processing resources

CMA_C1077 - Establish terms and conditions for processing resources

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

d4e6a629-28eb-79a9-000b-88030e4823ca

Coordinate with external organizations to achieve cross org perspective

CMA_C1368 - Coordinate with external organizations to achieve cross org perspective

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

203101f5-99a3-1491-1b56-acccd9b66a9e

Conduct a security impact analysis

CMA_0057 - Conduct a security impact analysis

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

e8c31e15-642d-600f-78ab-bad47a5787e6

Require third-party providers to comply with personnel security policies and procedures

CMA_C1530 - Require third-party providers to comply with personnel security policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

01ae60e2-38bb-0a32-7b20-d3a091423409

Implement system boundary protection

CMA_0328 - Implement system boundary protection

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

18e7906d-4197-20fa-2f14-aaac21864e71

Document process to ensure integrity of PII

CMA_C1827 - Document process to ensure integrity of PII

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

42116f15-5665-a52a-87bb-b40e64c74b6c

Develop acceptable use policies and procedures

CMA_0143 - Develop acceptable use policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c42f19c9-5d88-92da-0742-371a0ea03126

Clear personnel with access to classified information

CMA_0054 - Clear personnel with access to classified information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

6c0a312f-04c5-5c97-36a5-e56763a02b6b

Review and sign revised rules of behavior

CMA_0465 - Review and sign revised rules of behavior

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

4ac81669-00e2-9790-8648-71bc11bc91eb

Manage the transportation of assets

CMA_0370 - Manage the transportation of assets

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c2eabc28-1e5c-78a2-a712-7cc176c44c07

Implement a penetration testing methodology

CMA_0306 - Implement a penetration testing methodology

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

93fa357f-2e38-22a9-5138-8cc5124e1923

Categorize information

CMA_0052 - Categorize information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

678ca228-042d-6d8e-a598-c58d5670437d

Prohibit remote activation of collaborative computing devices

CMA_C1648 - Prohibit remote activation of collaborative computing devices

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

9c93ef57-7000-63fb-9b74-88f2e17ca5d2

Disseminate security alerts to personnel

CMA_C1705 - Disseminate security alerts to personnel

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

0123edae-3567-a05a-9b05-b53ebe9d3e7e

View and configure system diagnostic data

CMA_0544 - View and configure system diagnostic data

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

72889284-15d2-90b2-4b39-a1e9541e1152

Verify identity before distributing authenticators

CMA_0538 - Verify identity before distributing authenticators

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

92b49e92-570f-1765-804a-378e6c592e28

Automate process to highlight unreviewed change proposals

CMA_C1193 - Automate process to highlight unreviewed change proposals

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

5d3abfea-a130-1208-29c0-e57de80aa6b0

Review the results of contingency plan testing

CMA_C1262 - Review the results of contingency plan testing

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b4409bff-2287-8407-05fd-c73175a68302

Enforce a limit of consecutive failed login attempts

CMA_C1044 - Enforce a limit of consecutive failed login attempts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

34aac8b2-488a-2b96-7280-5b9b481a317a

Incorporate flaw remediation into configuration management

CMA_C1671 - Incorporate flaw remediation into configuration management

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

4ce91e4e-6dab-3c46-011a-aa14ae1561bf

Maintain list of authorized remote maintenance personnel

CMA_C1420 - Maintain list of authorized remote maintenance personnel

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

d4f70530-19a2-2a85-6e0c-0c3c465e3325

Make accounting of disclosures available upon request

CMA_C1820 - Make accounting of disclosures available upon request

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

1ee4c7eb-480a-0007-77ff-4ba370776266

Use system clocks for audit records

CMA_0535 - Use system clocks for audit records

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

4aacaec9-0628-272c-3e83-0d68446694e0

Manage Authenticators

CMA_C1321 - Manage Authenticators

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

9b8b05ec-3d21-215e-5d98-0f7cf0998202

Provide security awareness training for insider threats

CMA_0417 - Provide security awareness training for insider threats

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

3ae68d9a-5696-8c32-62d3-c6f9c52e437c

Refresh authenticators

CMA_0425 - Refresh authenticators

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

ef718fe4-7ceb-9ddf-3198-0ee8f6fe9cba

Review file and folder activity

CMA_0473 - Review file and folder activity

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

5023a9e7-8e64-2db6-31dc-7bce27f796af

Provide privacy notice to the public and to individuals

CMA_C1861 - Provide privacy notice to the public and to individuals

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

aa892c0d-2c40-200c-0dd8-eac8c4748ede

Employ automatic emergency lighting

CMA_0209 - Employ automatic emergency lighting

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

92ede480-154e-0e22-4dca-8b46a74a3a51

Maintain records of processing of personal data

CMA_0353 - Maintain records of processing of personal data

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

2b2f3a72-9e68-3993-2b69-13dcdecf8958

Define requirements for supplying goods and services

CMA_0126 - Define requirements for supplying goods and services

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c2cb4658-44dc-9d11-3dad-7c6802dd5ba3

Generate error messages

CMA_C1724 - Generate error messages

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

5c33538e-02f8-0a7f-998b-a4c1e22076d3

Govern compliance of cloud service providers

CMA_0290 - Govern compliance of cloud service providers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

5decc032-95bd-2163-9549-a41aba83228e

Implement formal sanctions process

CMA_0317 - Implement formal sanctions process

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

23d1a569-2d1e-7f43-9e22-1f94115b7dd5

Identify classes of Incidents and Actions taken

CMA_C1365 - Identify classes of Incidents and Actions taken

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

f29b17a4-0df2-8a50-058a-8570f9979d28

Assign system identifiers

CMA_0018 - Assign system identifiers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

e4e1f896-8a93-1151-43c7-0ad23b081ee2

Authorize, monitor, and control voip

CMA_0025 - Authorize, monitor, and control voip

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

098a7b84-1031-66d8-4e78-bd15b5fd2efb

Provide privacy notice

CMA_0414 - Provide privacy notice

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8c5d3d8d-5cba-0def-257c-5ab9ea9644dc

Perform a risk assessment

CMA_0388 - Perform a risk assessment

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

37546841-8ea1-5be0-214d-8ac599588332

Maintain incident response plan

CMA_0352 - Maintain incident response plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

44f8a42d-739f-8030-89a8-4c2d5b3f6af3

Provide audit review, analysis, and reporting capability

CMA_C1124 - Provide audit review, analysis, and reporting capability

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

62fa14f0-4cbe-762d-5469-0899a99b98aa

Explicitly notify use of collaborative computing devices

CMA_C1649 - Explicitly notify use of collaborative computing devices

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

77acc53d-0f67-6e06-7d04-5750653d4629

Document the protection of cardholder data in third party contracts

CMA_0207 - Document the protection of cardholder data in third party contracts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

13ef3484-3a51-785a-9c96-500f21f84edd

Information flow control using security policy filters

CMA_C1029 - Information flow control using security policy filters

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

4ee5975d-2507-5530-a20a-83a725889c6f

Restrict unauthorized software and firmware installation

CMA_C1205 - Restrict unauthorized software and firmware installation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

4781e5fd-76b8-7d34-6df3-a0a7fca47665

Prevent identifier reuse for the defined time period

CMA_C1314 - Prevent identifier reuse for the defined time period

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

afbecd30-37ee-a27b-8e09-6ac49951a0ee

Establish security requirements for the manufacturing of connected devices

CMA_0279 - Establish security requirements for the manufacturing of connected devices

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

80a97208-264e-79da-0cc7-4fca179a0c9c

Protect against and prevent data theft from departing employees

CMA_0398 - Protect against and prevent data theft from departing employees

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

0803eaa7-671c-08a7-52fd-ac419f775e75

Document acquisition contract acceptance criteria

CMA_0187 - Document acquisition contract acceptance criteria

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

2af551d5-1775-326a-0589-590bfb7e9eb2

Limit privileges to make changes in production environment

CMA_C1206 - Limit privileges to make changes in production environment

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

921ae4c1-507f-5ddb-8a58-cfa9b5fd96f0

Establish authenticator types and processes

CMA_0267 - Establish authenticator types and processes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

ffdaa742-0d6f-726f-3eac-6e6c34e36c93

Establish usage restrictions for mobile code technologies

CMA_C1652 - Establish usage restrictions for mobile code technologies

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

43ac3ccb-4ef6-7d63-9a3f-6848485ba4e8

Automate process to document implemented changes

CMA_C1195 - Automate process to document implemented changes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

68a39c2b-0f17-69ee-37a3-aa10f9853a08

Establish voip usage restrictions

CMA_0280 - Establish voip usage restrictions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

a08b18c7-9e0a-89f1-3696-d80902196719

Document access privileges

CMA_0186 - Document access privileges

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b0e3035d-6366-2e37-796e-8bcab9c649e6

Establish a threat intelligence program

CMA_0260 - Establish a threat intelligence program

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

3b30aa25-0f19-6c04-5ca4-bd3f880a763d

Implement parameters for memorized secret verifiers

CMA_0321 - Implement parameters for memorized secret verifiers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

7a489c62-242c-5db9-74df-c073056d6fa3

Designate personnel to supervise unauthorized maintenance activities

CMA_C1422 - Designate personnel to supervise unauthorized maintenance activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

2b05dca2-25ec-9335-495c-29155f785082

Provide security training before providing access

CMA_0418 - Provide security training before providing access

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

a930f477-9dcb-2113-8aa7-45bb6fc90861

Review and update the events defined in AU-02

CMA_C1106 - Review and update the events defined in AU-02

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

70fe686f-1f91-7dab-11bf-bca4201e183b

Review role group changes weekly

CMA_0476 - Review role group changes weekly

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

af227964-5b8b-22a2-9364-06d2cb9d6d7c

Develop information security policies and procedures

CMA_0158 - Develop information security policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c423e64d-995c-9f67-0403-b540f65ba42a

Assess Security Controls

CMA_C1145 - Assess Security Controls

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

aa0ddd99-43eb-302d-3f8f-42b499182960

Install an alarm system

CMA_0338 - Install an alarm system

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

291f20d4-8d93-1d73-89f3-6ce28b825563

Authorize, monitor, and control usage of mobile code technologies

CMA_C1653 - Authorize, monitor, and control usage of mobile code technologies

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8eea8c14-4d93-63a3-0c82-000343ee5204

Conduct a full text analysis of logged privileged commands

CMA_0056 - Conduct a full text analysis of logged privileged commands

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8b1f29eb-1b22-4217-5337-9207cb55231e

Perform information input validation

CMA_C1723 - Perform information input validation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

d6653f89-7cb5-24a4-9d71-51581038231b

Reauthenticate or terminate a user session

CMA_0421 - Reauthenticate or terminate a user session

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Monitoring

e6f7b584-877a-0d69-77d4-ab8b923a9650

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

Document separation of duties

CMA_0204 - Document separation of duties

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

5e4e9685-3818-5934-0071-2620c4fa2ca5

Retain previous versions of baseline configs

CMA_C1181 - Retain previous versions of baseline configs

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

423f6d9c-0c73-9cc6-64f4-b52242490368

Develop security safeguards

CMA_0161 - Develop security safeguards

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

9150259b-617b-596d-3bf5-5ca3fce20335

Establish policies for supply chain risk management

CMA_0275 - Establish policies for supply chain risk management

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b6ad009f-5c24-1dc0-a25e-74b60e4da45f

Control maintenance and repair activities

CMA_0080 - Control maintenance and repair activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

d36700f2-2f0d-7c2a-059c-bdadd1d79f70

Establish a risk management strategy

CMA_0258 - Establish a risk management strategy

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

26d178a4-9261-6f04-a100-47ed85314c6e

Implement security directives

CMA_C1706 - Implement security directives

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

0f4fa857-079d-9d3d-5c49-21f616189e03

Provide real-time alerts for audit event failures

CMA_C1114 - Provide real-time alerts for audit event failures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

3545c827-26ee-282d-4629-23952a12008b

Conduct incident response testing

CMA_0060 - Conduct incident response testing

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

10874318-0bf7-a41f-8463-03e395482080

Correlate audit records

CMA_0087 - Correlate audit records

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

1282809c-9001-176b-4a81-260a085f4872

Perform audit for configuration change control

CMA_0390 - Perform audit for configuration change control

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

33602e78-35e3-4f06-17fb-13dd887448e4

Conduct capacity planning

CMA_C1252 - Conduct capacity planning

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

11ba0508-58a8-44de-5f3a-9e05d80571da

Develop business classification schemes

CMA_0155 - Develop business classification schemes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8a703eb5-4e53-701b-67e4-05ba2f7930c8

Separate user and information system management functionality

CMA_0493 - Separate user and information system management functionality

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

5c40f27b-6791-18c5-3f85-7b863bd99c11

Automate proposed documented changes

CMA_C1191 - Automate proposed documented changes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b4512986-80f5-1656-0c58-08866bd2673a

Designate authorized personnel to post publicly accessible information

CMA_C1083 - Designate authorized personnel to post publicly accessible information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

f48b60c6-4b37-332f-7288-b6ea50d300eb

Review controlled folder access events

CMA_0471 - Review controlled folder access events

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

79c75b38-334b-1a69-65e0-a9d929a42f75

Document the legal basis for processing personal information

CMA_0206 - Document the legal basis for processing personal information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Monitoring

ba78efc6-795c-64f4-7a02-91effbd34af9

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

Execute actions in response to information spills

CMA_0281 - Execute actions in response to information spills

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

84245967-7882-54f6-2d34-85059f725b47

Establish an information security program

CMA_0263 - Establish an information security program

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

6b957f60-54cd-5752-44d5-ff5a64366c93

Develop SSP that meets criteria

CMA_C1492 - Develop SSP that meets criteria

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

3c93dba1-84fd-57de-33c7-ef0400a08134

Establish terms and conditions for accessing resources

CMA_C1076 - Establish terms and conditions for accessing resources

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

7d70383a-32f4-a0c2-61cf-a134851968c2

Determine legal authority to collect PII

CMA_C1800 - Determine legal authority to collect PII

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

f8d141b7-4e21-62a6-6608-c79336e36bc9

Establish privacy requirements for contractors and service providers

CMA_C1810 - Establish privacy requirements for contractors and service providers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

9ac8621d-9acd-55bf-9f99-ee4212cc3d85

Provide periodic role-based security training

CMA_C1095 - Provide periodic role-based security training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

9ca3a3ea-3a1f-8ba0-31a8-6aed0fe1a7a4

Define mobile device requirements

CMA_0122 - Define mobile device requirements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

66e5cb69-9f1c-8b8d-8fbd-b832466d5aa8

Prevent split tunneling for remote devices

CMA_C1632 - Prevent split tunneling for remote devices

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

fd81a1b3-2d7a-107c-507e-29b87d040c19

Enforce appropriate usage of all accounts

CMA_C1023 - Enforce appropriate usage of all accounts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

af5ff768-a34b-720e-1224-e6b3214f3ba6

Establish an alternate processing site

CMA_0262 - Establish an alternate processing site

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8bfdbaa6-6824-3fec-9b06-7961bf7389a6

Initiate contingency plan testing corrective actions

CMA_C1263 - Initiate contingency plan testing corrective actions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

433de59e-7a53-a766-02c2-f80f8421469a

Implement incident handling

CMA_0318 - Implement incident handling

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

f8ded0c6-a668-9371-6bb6-661d58787198

Monitor third-party provider compliance

CMA_C1533 - Monitor third-party provider compliance

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

6122970b-8d4a-7811-0278-4c6c68f61e4f

Restrict media use

CMA_0450 - Restrict media use

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

8bb40df9-23e4-4175-5db3-8dba86349b73

Confirm quality and integrity of PII

CMA_C1821 - Confirm quality and integrity of PII

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

35963d41-4263-0ef9-98d5-70eb058f9e3c

Establish procedures for initial authenticator distribution

CMA_0276 - Establish procedures for initial authenticator distribution

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

585af6e9-90c0-4575-67a7-2f9548972e32

Review and reevaluate privileges

CMA_C1207 - Review and reevaluate privileges

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

055da733-55c6-9e10-8194-c40731057ec4

Develop and maintain a vulnerability management standard

CMA_0152 - Develop and maintain a vulnerability management standard

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

b3c8cc83-20d3-3890-8bc8-5568777670f4

Establish requirements for audit review and reporting

CMA_0277 - Establish requirements for audit review and reporting

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

0bbfd658-93ab-6f5e-1e19-3c1c1da62d01

Keep accurate accounting of disclosures of information

CMA_C1818 - Keep accurate accounting of disclosures of information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

0461cacd-0b3b-4f66-11c5-81c9b19a3d22

Verify inaccurate or outdated PII

CMA_C1823 - Verify inaccurate or outdated PII

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

c79d378a-2521-822a-0407-57454f8d2c74

Notify upon termination or transfer

CMA_0381 - Notify upon termination or transfer

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

4c6df5ff-4ef2-4f17-a516-0da9189c603b

Assign account managers

CMA_0015 - Assign account managers

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

2d4d0e90-32d9-4deb-2166-a00d51ed57c0

Provide information spillage training

CMA_0413 - Provide information spillage training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

e0c480bf-0d68-a42d-4cbb-b60f851f8716

Implement personnel screening

CMA_0322 - Implement personnel screening

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

a8f9c283-9a66-3eb3-9e10-bdba95b85884

Run simulation attacks

CMA_0486 - Run simulation attacks

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

d18af1ac-0086-4762-6dc8-87cdded90e39

Perform a privacy impact assessment

CMA_0387 - Perform a privacy impact assessment

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-13 16:35:29

BuiltIn

Regulatory Compliance

3ad7f0bc-3d03-0585-4d24-529779bb02c2

Maintain availability of information

CMA_C1644 - Maintain availability of information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

50e81644-923d-33fc-6ebb-9733bc8d1a06

Perform a trend analysis on threats

CMA_0389 - Perform a trend analysis on threats

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

c0559109-6a27-a217-6821-5a6d44f92897

Maintain integrity of audit system

CMA_C1133 - Maintain integrity of audit system

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

6625638f-3ba1-7404-5983-0ea33d719d34

Review audit data

CMA_0466 - Review audit data

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

7c7032fe-9ce6-9092-5890-87a1a3755db1

Retain terminated user data

CMA_0455 - Retain terminated user data

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

ece8bb17-4080-5127-915f-dc7267ee8549

Verify security functions

CMA_C1708 - Verify security functions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

6f1de470-79f3-1572-866e-db0771352fc8

Authenticate to cryptographic module

CMA_0021 - Authenticate to cryptographic module

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

fad161f5-5261-401a-22dd-e037bae011bd

Review threat protection status weekly

CMA_0479 - Review threat protection status weekly

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Guest Configuration

efef28d0-3226-966a-a1e8-70e89c1b30bc

[Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

Retain security policies and procedures

CMA_0454 - Retain security policies and procedures

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

86ecd378-a3a0-5d5b-207c-05e6aaca43fc

Detect network services that have not been authorized or approved

CMA_C1700 - Detect network services that have not been authorized or approved

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

83dfb2b8-678b-20a0-4c44-5c75ada023e6

Document mobility training

CMA_0191 - Document mobility training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

3d399cf3-8fc6-0efc-6ab0-1412f1198517

Block untrusted and unsigned processes that run from USB

CMA_0050 - Block untrusted and unsigned processes that run from USB

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

59bedbdc-0ba9-39b9-66bb-1d1c192384e6

Control information flow

CMA_0079 - Control information flow

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

398fdbd8-56fd-274d-35c6-fa2d3b2755a1

Establish firewall and router configuration standards

CMA_0272 - Establish firewall and router configuration standards

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

873895e8-0e3a-6492-42e9-22cd030e9fcd

Restrict access to privileged accounts

CMA_0446 - Restrict access to privileged accounts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Security Center

951c1558-50a5-4ca3-abb6-a93e3e2367a6

Configure Microsoft Defender for SQL to be enabled on Synapse workspaces

Enable Microsoft Defender for SQL on your Azure Synapse workspaces to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit SQL databases.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

7805a343-275c-41be-9d62-7215b96212d8

Reassign or remove user privileges as needed

CMA_C1040 - Reassign or remove user privileges as needed

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

d661e9eb-4e15-5ba1-6f02-cdc467db0d6c

Define organizational requirements for cryptographic key management

CMA_0123 - Define organizational requirements for cryptographic key management

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

af38215f-70c4-0cd6-40c2-c52d86690a45

Set automated notifications for new and trending cloud applications in your organization

CMA_0495 - Set automated notifications for new and trending cloud applications in your organization

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

f96d2186-79df-262d-3f76-f371e3b71798

Review user privileges

CMA_C1039 - Review user privileges

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

3d492600-27ba-62cc-a1c3-66eb919f6a0d

Document remote access guidelines

CMA_0196 - Document remote access guidelines

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

b53aa659-513e-032c-52e6-1ce0ba46582f

Configure actions for noncompliant devices

CMA_0062 - Configure actions for noncompliant devices

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

2c6bee3a-2180-2430-440d-db3c7a849870

Document security operations

CMA_0202 - Document security operations

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

ae5345d5-8dab-086a-7290-db43a3272198

Identify and authenticate network devices

CMA_0296 - Identify and authenticate network devices

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

50e9324a-7410-0539-0662-2c1e775538b7

Authorize and manage access

CMA_0023 - Authorize and manage access

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

ed87d27a-9abf-7c71-714c-61d881889da4

Monitor privileged role assignment

CMA_0378 - Monitor privileged role assignment

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

a315c657-4a00-8eba-15ac-44692ad24423

Protect special information

CMA_0409 - Protect special information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

7a0ecd94-3699-5273-76a5-edb8499f655a

Determine assertion requirements

CMA_0136 - Determine assertion requirements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

b2d3e5a2-97ab-5497-565a-71172a729d93

Protect passwords with encryption

CMA_0408 - Protect passwords with encryption

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

7380631c-5bf5-0e3a-4509-0873becd8a63

Establish a configuration control board

CMA_0254 - Establish a configuration control board

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

55a7f9a0-6397-7589-05ef-5ed59a8149e7

Control physical access

CMA_0081 - Control physical access

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

79f081c7-1634-01a1-708e-376197999289

Review user accounts

CMA_0480 - Review user accounts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

a830fe9e-08c9-a4fb-420c-6f6bf1702395

Review account provisioning logs

CMA_0460 - Review account provisioning logs

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

49c23d9b-02b0-0e42-4f94-e8cef1b8381b

Audit user account status

CMA_0020 - Audit user account status

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Security Center

d31e5c31-63b2-4f12-887b-e49456834fa1

Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces

Enable Defender for SQL to protect your Synapse workspaces. Defender for SQL monitors your Synapse SQL to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

1d39b5d9-0392-8954-8359-575ce1957d1a

Support personal verification credentials issued by legal authorities

CMA_0507 - Support personal verification credentials issued by legal authorities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

10c4210b-3ec9-9603-050d-77e4d26c7ebb

Enforce logical access

CMA_0245 - Enforce logical access

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

2f20840e-7925-221c-725d-757442753e7c

Develop and maintain baseline configurations

CMA_0153 - Develop and maintain baseline configurations

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

526ed90e-890f-69e7-0386-ba5c0f1f784f

Establish and document a configuration management plan

CMA_0264 - Establish and document a configuration management plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

e4b00788-7e1c-33ec-0418-d048508e095b

Implement training for protecting authenticators

CMA_0329 - Implement training for protecting authenticators

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Guest Configuration

2454bbee-dc19-442f-83fc-7f3114cafd91

[Deprecated]: Windows machines should use the default NTP server

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

e603da3a-8af7-4f8a-94cb-1bcc0e0333d2

Manage the input, output, processing, and storage of data

CMA_0369 - Manage the input, output, processing, and storage of data

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

2cc9c165-46bd-9762-5739-d2aae5ba90a1

Automate account management

CMA_0026 - Automate account management

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

2f67e567-03db-9d1f-67dc-b6ffb91312f4

Determine auditable events

CMA_0137 - Determine auditable events

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

be38a620-000b-21cf-3cb3-ea151b704c3b

Remediate information system flaws

CMA_0427 - Remediate information system flaws

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

48c816c5-2190-61fc-8806-25d6f3df162f

Monitor access across the organization

CMA_0376 - Monitor access across the organization

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Security Center

f85bf3e0-d513-442e-89c3-1784ad63382b

System updates should be installed on your machines (powered by Update Center)

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

e435f7e3-0dd9-58c9-451f-9b44b96c0232

Implement controls to secure all media

CMA_0314 - Implement controls to secure all media

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

03b6427e-6072-4226-4bd9-a410ab65317e

Design an access control model

CMA_0129 - Design an access control model

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Storage

13502221-8df0-4414-9937-de9c5c4e396b

Configure your Storage account public access to be disallowed

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

4502e506-5f35-0df4-684f-b326e3cc7093

Terminate user session automatically

CMA_C1054 - Terminate user session automatically

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

058e9719-1ff9-3653-4230-23f76b6492e0

Enforce security configuration settings

CMA_0249 - Enforce security configuration settings

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

97d91b33-7050-237b-3e23-a77d57d84e13

Issue public key certificates

CMA_0347 - Issue public key certificates

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

de770ba6-50dd-a316-2932-e0d972eaa734

Require approval for account creation

CMA_0431 - Require approval for account creation

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

8489ff90-8d29-61df-2d84-f9ab0f4c5e84

Notify when account is not needed

CMA_0383 - Notify when account is not needed

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

cd36eeec-67e7-205a-4b64-dbfe3b4e3e4e

Implement controls to secure alternate work sites

CMA_0315 - Implement controls to secure alternate work sites

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Guest Configuration

b3248a42-b1c1-41a4-87bc-8bad3d845589

Windows machines should enable Windows Defender Real-time protection

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

a3e98638-51d4-4e28-910a-60e98c1a756f

Configure Azure Audit capabilities

CMA_C1108 - Configure Azure Audit capabilities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

4a6f5cbd-6c6b-006f-2bb1-091af1441bce

Review malware detections report weekly

CMA_0475 - Review malware detections report weekly

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

e336d5f4-4d8f-0059-759c-ae10f63d1747

Enforce user uniqueness

CMA_0250 - Enforce user uniqueness

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

aeed863a-0f56-429f-945d-8bb66bd06841

Authorize access to security functions and information

CMA_0022 - Authorize access to security functions and information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

2b4e134f-1e4c-2bff-573e-082d85479b6e

Develop an incident response plan

CMA_0145 - Develop an incident response plan

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

26daf649-22d1-97e9-2a8a-01b182194d59

Configure workstations to check for digital certificates

CMA_0073 - Configure workstations to check for digital certificates

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

32f22cfa-770b-057c-965b-450898425519

Revoke privileged roles as appropriate

CMA_0483 - Revoke privileged roles as appropriate

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

ea9d7c95-2f10-8a4d-61d8-7469bd2e8d65

Update antivirus definitions

CMA_0517 - Update antivirus definitions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

e23444b9-9662-40f3-289e-6d25c02b48fa

Review label activity and analytics

CMA_0474 - Review label activity and analytics

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

c4ccd607-702b-8ae6-8eeb-fc3339cd4b42

Define cryptographic use

CMA_0120 - Define cryptographic use

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

5fc24b95-53f7-0ed1-2330-701b539b97fe

Turn on sensors for endpoint security solution

CMA_0514 - Turn on sensors for endpoint security solution

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

b8dad106-6444-5f55-307e-1e1cc9723e39

Ensure cryptographic mechanisms are under configuration management

CMA_C1199 - Ensure cryptographic mechanisms are under configuration management

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

9c276cf3-596f-581a-7fbd-f5e46edaa0f4

Manage symmetric cryptographic keys

CMA_0367 - Manage symmetric cryptographic keys

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

3c9aa856-6b86-35dc-83f4-bc72cec74dea

Establish a data leakage management procedure

CMA_0255 - Establish a data leakage management procedure

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

c7fddb0e-3f44-8635-2b35-dc6b8e740b7c

Identify and manage downstream information exchanges

CMA_0298 - Identify and manage downstream information exchanges

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

bd4dc286-2f30-5b95-777c-681f3a7913d3

Establish and document change control processes

CMA_0265 - Establish and document change control processes

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Storage

f81e3117-0093-4b17-8a60-82363134f0eb

Configure secure transfer of data on a storage account

Secure transfer is an option that forces storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

63f63e71-6c3f-9add-4c43-64de23e554a7

Manage gateways

CMA_0363 - Manage gateways

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

b1666a13-8f67-9c47-155e-69e027ff6823

Enforce mandatory and discretionary access control policies

CMA_0246 - Enforce mandatory and discretionary access control policies

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

3c5e0e1a-216f-8f49-0a15-76ed0d8b8e1f

Perform vulnerability scans

CMA_0393 - Perform vulnerability scans

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

e714b481-8fac-64a2-14a9-6f079b2501a4

Use privileged identity management

CMA_0533 - Use privileged identity management

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

79365f13-8ba4-1f6c-2ac4-aa39929f56d0

Employ flow control mechanisms of encrypted information

CMA_0211 - Employ flow control mechanisms of encrypted information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

51e4b233-8ee3-8bdc-8f5f-f33bd0d229b7

Define a physical key management process

CMA_0115 - Define a physical key management process

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

33832848-42ab-63f3-1a55-c0ad309d44cd

Implement an automated configuration management tool

CMA_0311 - Implement an automated configuration management tool

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

eb1c944e-0e94-647b-9b7e-fdb8d2af0838

Review user groups and applications with access to sensitive data

CMA_0481 - Review user groups and applications with access to sensitive data

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

518eafdd-08e5-37a9-795b-15a8d798056d

Provide privacy training

CMA_0415 - Provide privacy training

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

e3905a3c-97e7-0b4f-15fb-465c0927536f

Correlate Vulnerability scan information

CMA_C1558 - Correlate Vulnerability scan information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

34d38ea7-6754-1838-7031-d7fd07099821

Manage system and admin accounts

CMA_0368 - Manage system and admin accounts

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

2c843d78-8f64-92b5-6a9b-e8186c0e7eb6

Enable dual or joint authorization

CMA_0226 - Enable dual or joint authorization

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

f476f3b0-4152-526e-a209-44e5f8c968d7

Establish network segmentation for card holder data environment

CMA_0273 - Establish network segmentation for card holder data environment

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

8d140e8b-76c7-77de-1d46-ed1b2e112444

Restrict access to private keys

CMA_0445 - Restrict access to private keys

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

1bc7fd64-291f-028e-4ed6-6e07886e163f

Employ least privilege access

CMA_0212 - Employ least privilege access

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

db28735f-518f-870e-15b4-49623cbe3aa0

Verify software, firmware and information integrity

CMA_0542 - Verify software, firmware and information integrity

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

333b4ada-4a02-0648-3d4d-d812974f1bb2

Govern and monitor audit processing activities

CMA_0289 - Govern and monitor audit processing activities

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Guest Configuration

d96163de-dbe0-45ac-b803-0e9ca0f5764e

Windows machines should configure Windows Defender to update protection signatures within one day

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

d9d48ffb-0d8c-0bd5-5f31-5a5826d19f10

Disable authenticators upon termination

CMA_0169 - Disable authenticators upon termination

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

056a723b-4946-9d2a-5243-3aa27c4d31a1

Satisfy token quality requirements

CMA_0487 - Satisfy token quality requirements

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

dad8a2e9-6f27-4fc2-8933-7e99fe700c9c

Authorize remote access

CMA_0024 - Authorize remote access

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

0e696f5a-451f-5c15-5532-044136538491

Protect audit information

CMA_0401 - Protect audit information

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

b11697e8-9515-16f1-7a35-477d5c8a1344

Protect data in transit using encryption

CMA_0403 - Protect data in transit using encryption

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-09-02 16:33:37

BuiltIn

Regulatory Compliance

7d7a8356-5c34-9a95-3118-1424cfaf192a

Adopt biometric authentication mechanisms

CMA_0005 - Adopt biometric authentication mechanisms

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Storage

Configure diagnostic settings for Blob Services to Log Analytics workspace

Deploys the diagnostic settings for Blob Services to stream resource logs to a Log Analytics workspace when any blob Service which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, new suffix: preview (1.0.0 > 1.1.1-preview)

2022-08-26 16:33:38

BuiltIn

Storage

[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace

Deprecated: This policy did not evaluate correctly and has been separated into policies for each of the nested resources. Please see new policies for storage accounts (id: /providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef), blob services (b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb), file (25a70cc8-2bd4-47f1-90b6-1478e4662c96), queue (7bd000e3-37c7-4928-9f31-86c4b77c5c45), and table (2fb86bf3-d221-43d1-96d1-2434af34eaa0).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated)

2022-08-26 16:33:38

BuiltIn

Storage

Configure diagnostic settings for Queue Services to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, new suffix: preview (1.0.0 > 1.1.1-preview)

2022-08-26 16:33:38

BuiltIn

Monitoring

951af2fa-529b-416e-ab6e-066fd85ac459

Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, new suffix: preview (1.0.0 > 1.1.1-preview)

2022-08-26 16:33:38

BuiltIn

Key Vault

Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace

Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.1 > 2.0.1)

2022-08-26 16:33:38

BuiltIn

App Service

a4af4a39-4135-47fb-b175-47fbdf85311d

App Service apps should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (2.0.0 > 3.0.0)

2022-08-26 16:33:38

BuiltIn

Storage

1ecb79d7-1a06-9a3b-3be8-f434d04d1ec1

Configure diagnostic settings for File Services to Log Analytics workspace

Deploys the diagnostic settings for File Services to stream resource logs to a Log Analytics workspace when any file Service which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Regulatory Compliance

Adhere to retention periods defined

CMA_0004 - Adhere to retention periods defined

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Regulatory Compliance

f26af0b1-65b6-689a-a03f-352ad2d00f98

Audit privileged functions

CMA_0019 - Audit privileged functions

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Monitoring

bef3f64c-5290-43b7-85b0-9b254eef4c47

Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, new suffix: preview (1.0.0 > 1.1.1-preview)

2022-08-26 16:33:38

BuiltIn

Monitoring

Deploy Diagnostic Settings for Key Vault to Log Analytics workspace

Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-08-26 16:33:38

BuiltIn

Regulatory Compliance

9622aaa9-5c49-40e2-5bf8-660b7cd23deb

Alert personnel of information spillage

CMA_0007 - Alert personnel of information spillage

Default
Manual
Allowed
Manual, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Monitoring

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, new suffix: preview (1.1.0 > 1.1.1-preview)

2022-08-26 16:33:38

BuiltIn

Security Center

[Deprecated]: Configure Microsoft Defender for APIs should be enabled

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Security Center

Microsoft Defender for APIs should be enabled

Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Storage

Configure diagnostic settings for Table Services to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Storage

c520cefc-285f-40f3-86e2-2efc38ef1f64

Configure diagnostic settings for Storage Accounts to Log Analytics workspace

Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Batch

Configure Batch accounts to disable public network access

Disabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Monitoring

0f98368e-36bc-4716-8ac2-8f8067203b63

Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, new suffix: preview (1.0.0 > 1.1.1-preview)

2022-08-26 16:33:38

BuiltIn

App Service

Configure App Service apps to only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

App Service

a18c77f2-3d6d-497a-9f61-849a7e8a3b79

Configure App Service app slots to only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Monitoring

679ddf89-ab8f-48a5-9029-e76054077449

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, new suffix: preview (1.1.0 > 1.1.1-preview)

2022-08-26 16:33:38

BuiltIn

Machine Learning

Azure Machine Learning Compute Instance should have idle shutdown.

Having an idle shutdown schedule reduces cost by shutting down computes that are idle after a pre-determined period of activity.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-08-26 16:33:38

BuiltIn

Monitoring

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, new suffix: preview (1.1.0 > 1.1.1-preview)

2022-08-26 16:33:38

BuiltIn

Guest Configuration

ae1b9a8c-dfce-4605-bd91-69213b4a26fc

[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-08-26 16:33:38

BuiltIn

App Service

App Service app slots should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-08-26 16:33:38

BuiltIn

Key Vault

Key vaults should have soft delete enabled

Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2022-08-26 16:33:38

BuiltIn

Monitoring

5174c1db-ca42-e0d4-b320-4f1cf6a1fa93

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, new suffix: preview (1.0.0 > 1.1.1-preview)

2022-08-26 16:33:38

BuiltIn

Kubernetes

Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault

Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires a Bucket SecretKey stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-08-19 16:33:23

BuiltIn

Kubernetes

2630c91f-8a20-8f43-14a2-2485b648e2a9

Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate

Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS CA Certificate. For instructions, visit https://aka.ms/GitOpsFlux2Policy.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-08-19 16:33:23

BuiltIn

Kubernetes

9e980dca-f3e1-8da3-6717-ad37b1ca6b27

Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets

Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a SSH private key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-08-19 16:33:23

BuiltIn

Kubernetes

b6c7fd52-4723-5f4d-a157-3d39bd16a1d7

Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-08-19 16:33:23

BuiltIn

Kubernetes

bf1a31be-3b79-5ba8-c9e0-9a8c9ad9f749

Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets

Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-08-19 16:33:23

BuiltIn

Azure Load Testing

65c4f833-1f2e-426c-8780-f6d7593bed7a

Azure load testing resource should use customer-managed keys to encrypt data at rest

Use customer-managed keys(CMK) to manage the encryption at rest for your Azure Load Testing resource. By default the encryptio is done using Service managed keys, customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/load-testing/how-to-configure-customer-managed-keys?tabs=portal.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-08-19 16:33:23

BuiltIn

Kubernetes

f9175d5f-abc8-1dc3-bd3c-5d7476ada3d1

Configure installation of Flux extension on Kubernetes cluster

Install Flux extension on Kubernetes cluster to enable deployment of 'fluxconfigurations' in the cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-08-19 16:33:23

BuiltIn

Automanage

83ea2fd1-9eaf-2f6d-f672-cd7b2ac798f6

Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.2.0)

2022-08-19 16:33:23

BuiltIn

Kubernetes

Configure Kubernetes clusters with Flux v2 configuration using public Git repository

Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires no secrets. For instructions, visit https://aka.ms/GitOpsFlux2Policy.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-08-19 16:33:23

BuiltIn

Kubernetes

b8c1d6c1-6137-97c6-9c34-d4627e54ca26

Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-08-19 16:33:23

BuiltIn

Automanage

Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.2.0)

2022-08-19 16:33:23

BuiltIn

Monitoring

Configure Windows Arc-enabled machines to run Azure Monitor Agent

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-08-12 16:33:43

BuiltIn

Kubernetes

Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-08-12 16:33:43

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-08-12 16:33:43

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-08-12 16:33:43

BuiltIn

Monitoring

a58ac66d-92cb-409c-94b8-8e48d7a96596

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-08-12 16:33:43

BuiltIn

Network

[Deprecated]: Azure firewall policy should enable TLS inspection within application rules

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2022-08-12 16:33:43

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-08-12 16:33:43

BuiltIn

Monitoring

Configure Linux Arc-enabled machines to run Azure Monitor Agent

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-08-12 16:33:43

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.0.1 > 4.1.0)

2022-08-12 16:33:43

BuiltIn

Monitoring

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-08-12 16:33:43

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.1 > 3.1.0)

2022-08-12 16:33:43

BuiltIn

Monitoring

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-08-12 16:33:43

BuiltIn

Cognitive Services

[Deprecated]: Cognitive Services should use private link

Default
Audit
Allowed
Audit, Disabled

change

Major (2.0.0 > 3.0.0)

2022-08-09 17:24:03

BuiltIn

Cognitive Services

Configure Cognitive Services accounts with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2022-08-09 17:24:03

BuiltIn

Monitoring

[Deprecated]: Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.1 > 3.0.0)

2022-08-09 17:24:03

BuiltIn

Monitoring

e9ac8f8e-ce22-4355-8f04-99b911d6be52

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-08-09 17:24:03

BuiltIn

Security Center

Guest accounts with read permissions on Azure resources should be removed

External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-08-09 17:24:03

BuiltIn

Monitoring

8d7e1fde-fe26-4b5f-8108-f8e432cbc2be

Deploy Dependency agent for Linux virtual machines

Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed.

Fixed
deployIfNotExists

change

Major (3.0.0 > 4.0.0)

2022-08-09 17:24:03

BuiltIn

Security Center

Blocked accounts with read and write permissions on Azure resources should be removed

Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-08-09 17:24:03

BuiltIn

Security Center

931e118d-50a1-4457-a5e4-78550e086c52

[Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled

This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-08-09 17:24:03

BuiltIn

Service Bus

cbd11fd3-3002-4907-b6c8-579f0e700e13

Service Bus Namespaces should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-08-09 17:24:03

BuiltIn

Monitoring

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-08-09 17:24:03

BuiltIn

Monitoring

Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below

Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.1.0 > 2.1.1)

2022-08-09 17:24:03

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets

Fixed
deployIfNotExists

change

Major (3.0.0 > 4.0.0)

2022-08-09 17:24:03

BuiltIn

Security Center

[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2022-08-09 17:24:03

BuiltIn

Security Center

[Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2022-08-09 17:24:03

BuiltIn

Security Center

[Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2022-08-09 17:24:03

BuiltIn

Monitoring

a63cc0bd-cda4-4178-b705-37dc439d3e0f

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-08-09 17:24:03

BuiltIn

Cosmos DB

Configure CosmosDB accounts to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-08-09 17:24:03

BuiltIn

Cognitive Services

47ba1dd7-28d9-4b07-a8d5-9813bed64e0c

Configure Cognitive Services accounts to disable public network access

Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800.

Default
Modify
Allowed
Disabled, Modify

change

Major (2.0.0 > 3.0.0)

2022-08-09 17:24:03

BuiltIn

Security Center

339353f6-2387-4a45-abe4-7f529d121046

Guest accounts with owner permissions on Azure resources should be removed

External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-08-09 17:24:03

BuiltIn

Monitoring

187242f4-89c6-4c43-9a4e-188c0efacc5f

Resource logs should be enabled for Audit on supported resources

Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. The existence of a diagnostic setting for category group Audit on the selected resource types ensures that these logs are enabled and captured. Applicable resource types are those that support the "Audit" category group.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-08-09 17:24:03

BuiltIn

Security Center

94e1c2ac-cbbe-4cac-a2b5-389c812dee87

Guest accounts with write permissions on Azure resources should be removed

External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-08-09 17:24:03

BuiltIn

Security Center

81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4

[Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2022-08-09 17:24:03

BuiltIn

Security Center

[Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled

This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-08-09 17:24:03

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2022-08-09 17:24:03

BuiltIn

Security Center

e3e008c3-56b9-4133-8fd7-d3347377402a

[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (5.1.1-preview > 5.2.0-preview)

2022-08-09 17:24:03

BuiltIn

Security Center

[Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled

This policy definition is deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-08-09 17:24:03

BuiltIn

Security Center

[Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)

2022-08-09 17:24:03

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview)

2022-08-09 17:24:03

BuiltIn

Azure Ai Services

Azure AI Services resources should restrict network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2022-08-05 16:32:22

BuiltIn

Monitoring

Deploy Log Analytics extension for Linux VMs. See deprecation notice below

Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date

Fixed
deployIfNotExists

change

Major (2.0.1 > 3.0.0)

2022-08-05 16:32:22

BuiltIn

Cognitive Services

0cfea604-3201-4e14-88fc-fae4c427a6c5

[Deprecated]: Cognitive Services accounts should disable public network access

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2022-08-05 16:32:22

BuiltIn

Security Center

Blocked accounts with owner permissions on Azure resources should be removed

Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-08-05 16:32:22

BuiltIn

Container Apps

783ea2a8-b8fd-46be-896a-9ae79643a0b1

Container Apps should disable external network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-29 16:32:46

BuiltIn

Container Apps

2b585559-a78e-4cc4-b1aa-fb169d2f6b96

Authentication should be enabled on Container Apps

Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-29 16:32:46

BuiltIn

Container Apps

d074ddf8-01a5-4b5e-a2b8-964aed452c0a

Container Apps environment should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-29 16:32:46

BuiltIn

Container Apps

7c9f3fbb-739d-4844-8e42-97e3be6450e0

Container App should configure with volume mount

Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-29 16:32:46

BuiltIn

Compute

8426280e-b5be-43d9-979e-653d12a08638

Configure managed disks to disable public network access

Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc.

Default
Modify
Allowed
Modify, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-29 16:32:46

BuiltIn

Lab Services

e8a5a3eb-1ab6-4657-a701-7ae432cf14e1

Lab Services should not allow template virtual machines for labs

This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-07-29 16:32:46

BuiltIn

Container Apps

b874ab2d-72dd-47f1-8cb5-4a306478a4e7

Managed Identity should be enabled for Container Apps

Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-29 16:32:46

BuiltIn

Monitoring

8405fdab-1faf-48aa-b702-999c9c172094

Configure Log Analytics extension on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.1.0 > 2.1.1)

2022-07-29 16:32:46

BuiltIn

Compute

Managed disks should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-29 16:32:46

BuiltIn

Kubernetes

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (7.0.0-preview > 7.1.0-preview)

2022-07-29 16:32:46

BuiltIn

Monitoring

8b346db6-85af-419b-8557-92cee2c0f9bb

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-07-29 16:32:46

BuiltIn

Container Apps

Container App environments should use network injection

Container Apps environments should use virtual network injection to: 1.Isolate Container Apps from the public internet 2.Enable network integration with resources on-premises or in other Azure virtual networks 3.Achieve more granular control over network traffic flowing to and from the environment.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.1 > 1.0.2)

2022-07-29 16:32:46

BuiltIn

Lab Services

0fd9915e-cab3-4f24-b200-6e20e1aa276a

Lab Services should require non-admin user for labs

This policy requires non-admin user accounts to be created for the labs managed through lab-services.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-07-29 16:32:46

BuiltIn

Container Apps

0e80e269-43a4-4ae9-b5bc-178126b8a5cb

Container Apps should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-29 16:32:46

BuiltIn

Lab Services

3e13d504-9083-4912-b935-39a085db2249

Lab Services should restrict allowed virtual machine SKU sizes

This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-07-29 16:32:46

BuiltIn

Monitoring

a6e9cf2d-7d76-440e-b795-8da246bd3aab

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-07-29 16:32:46

BuiltIn

Lab Services

Lab Services should enable all options for auto shutdown

This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-07-29 16:32:46

BuiltIn

Machine Learning

e413671a-dd10-4cc1-a943-45b598596cb7

Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibility

Azure ML is making a transition to a new V2 API platform on Azure Resource Manager and you can control API platform version using V1LegacyMode parameter. Enabling the V1LegacyMode parameter will enable you to keep your workspaces in the same network isolation as V1, though you won't have use of the new V2 features. We recommend turning on V1 Legacy Mode only when you want to keep the AzureML control plane data inside your private networks. Learn more at: https://aka.ms/V1LegacyMode.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-07-29 16:32:46

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-26 16:32:46

BuiltIn

Kubernetes

Azure Kubernetes Service clusters should have Defender profile enabled

Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks

Default
Audit
Allowed
Audit, Disabled

change

Major (1.0.3 > 2.0.0)

2022-07-26 16:32:46

BuiltIn

Cognitive Services

Configure Cognitive Services accounts with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-07-26 16:32:46

BuiltIn

Kubernetes

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (3.1.1 > 4.0.0)

2022-07-26 16:32:46

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-26 16:32:46

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-26 16:32:46

BuiltIn

Monitoring

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-26 16:32:46

BuiltIn

Monitoring

Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings

Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-26 16:32:46

BuiltIn

Monitoring

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-26 16:32:46

BuiltIn

Monitoring

Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-26 16:32:46

BuiltIn

Monitoring

[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-26 16:32:46

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-26 16:32:46

BuiltIn

SQL

Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-22 16:34:49

BuiltIn

Kubernetes

7e4301f9-5f32-4738-ad9f-7ec2d15563ad

Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-07-22 16:34:49

BuiltIn

Azure Active Directory

Configure Private Link for Azure AD to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure AD. Learn more at: https://aka.ms/privateLinkforAzureADDocs.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-22 16:34:49

BuiltIn

SQL

9dfea752-dd46-4766-aed1-c355fa93fb91

Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-22 16:34:49

BuiltIn

SQL

Azure SQL Managed Instances should disable public network access

Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://aka.ms/mi-public-endpoint.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-07-22 16:34:49

BuiltIn

Azure Active Directory

b923afcf-4c3a-4ed6-8386-1ff64b68de47

Configure Private Link for Azure AD with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-22 16:34:49

BuiltIn

Azure Active Directory

2e9411a0-0c5a-44b3-9ddb-ff10a1a2bf28

Azure Active Directory should use private link to access Azure services

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365).

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-07-22 16:34:49

BuiltIn

SQL

6134c3db-786f-471e-87bc-8f479dc890f6

Deploy Advanced Data Security on SQL servers

This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix.

Fixed
DeployIfNotExists

change

Minor (1.2.0 > 1.3.0)

2022-07-22 16:34:49

BuiltIn

SQL

4d080fa5-a6d2-4f98-ba9c-f482d0d335c0

Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-22 16:34:49

BuiltIn

Health Bot

Azure Health Bots should use customer-managed keys to encrypt data at rest

Use customer-managed keys (CMK) to manage the encryption at rest of the data of your healthbots. By default, the data is encrypted at rest with service-managed keys, but CMK are commonly required to meet regulatory compliance standards. CMK enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://docs.microsoft.com/azure/health-bot/cmk

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-07-15 16:32:44

BuiltIn

Container Registry

785596ed-054f-41bc-aaec-7f3d0ba05725

Configure container registries to disable ARM audience token authentication.

Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: https://aka.ms/acr/authentication.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-07-15 16:32:44

BuiltIn

Container Registry

42781ec6-6127-4c30-bdfa-fb423a0047d3

Container registries should have ARM audience token authentication disabled.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-07-15 16:32:44

BuiltIn

Container Instance

8af8f826-edcb-4178-b35f-851ea6fea615

Azure Container Instance container group should deploy into a virtual network

Secure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (1.0.0 > 2.0.0)

2022-07-15 16:32:44

BuiltIn

App Service

2d21331d-a4c2-4def-a9ad-ee4e1e023beb

App Service app slots should have local authentication methods disabled for SCM site deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2022-07-15 16:32:44

BuiltIn

Network

App Service apps should use a virtual network service endpoint

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-15 16:32:44

BuiltIn

Managed Identity

c854b0f0-02d0-4f94-9b42-fd175fbd4d49

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2022-07-08 16:32:07

BuiltIn

Internet of Things

Deploy - Configure IoT Central with private endpoints

A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT Central to allow services inside your virtual network to reach IoT Central without requiring traffic to be sent to IoT Central's public endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-08 16:32:07

BuiltIn

Kubernetes

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.2.1 > 5.0.0)

2022-07-08 16:32:07

BuiltIn

Kubernetes

92bb331d-ac71-416a-8c91-02f2cb734ce4

[Deprecated]: Kubernetes clusters should gate deployment of vulnerable images

This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, suffix remains equal (1.0.3-preview > 2.0.0-preview)

2022-07-08 16:32:07

BuiltIn

API Management

API Management calls to API backends should not bypass certificate thumbprint or name validation

To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.0 > 1.0.1)

2022-07-08 16:32:07

BuiltIn

Kubernetes

0e7849de-b939-4c50-ab48-fc6b0f5eeba2

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.1.0 > 7.0.0)

2022-07-08 16:32:07

BuiltIn

Azure Databricks

Azure Databricks Workspaces should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-07-08 16:32:07

BuiltIn

API Management

c15dcc82-b93c-4dcb-9332-fbf121685b54

API Management calls to API backends should be authenticated

Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.0 > 1.0.1)

2022-07-08 16:32:07

BuiltIn

Network

632d3993-e2c0-44ea-a7db-2eca131f356d

[Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2022-07-08 16:32:07

BuiltIn

Kubernetes

9ace2dbc-4b71-48b6-b2a7-428b0b2e3944

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.3.1 > 4.0.0)

2022-07-08 16:32:07

BuiltIn

Internet of Things

IoT Central should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your IoT Central application instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/iotcentral-network-security-using-pe.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-07-08 16:32:07

BuiltIn

Internet of Things

d02e48d5-28d9-40d3-8ab8-301932a6f9cb

Modify - Configure IoT Central to disable public network access

Disabling the public network access property improves security by ensuring your IoT Central can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-07-08 16:32:07

BuiltIn

Monitoring

46388f67-373c-4018-98d3-2b83172dd13a

Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.1 > 2.1.0)

2022-07-08 16:32:07

BuiltIn

Fluid Relay

Fluid Relay should use customer-managed keys to encrypt data at rest

Use customer-managed keys to manage the encryption at rest of your Fluid Relay server. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you, with full control and responsibility, including rotation and management. Learn more at https://docs.microsoft.com/azure/azure-fluid-relay/concepts/customer-managed-keys.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-07-08 16:32:07

BuiltIn

API Management

b741306c-968e-4b67-b916-5675e5c709f4

API Management direct management endpoint should not be enabled

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.0 > 1.0.1)

2022-07-08 16:32:07

BuiltIn

Internet of Things

cd870362-211d-4cad-9ad9-11e5ea4ebbc1

Public network access should be disabled for IoT Central

To improve the security of IoT Central, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/iotcentral-restrict-public-access. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-07-08 16:32:07

BuiltIn

Kubernetes

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (6.1.2-preview > 7.0.0-preview)

2022-07-08 16:32:07

BuiltIn

Kubernetes

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.2.0 > 6.2.1)

2022-07-08 16:32:07

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should not overcommit cpu and memory

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2022-07-08 16:32:07

BuiltIn

Kubernetes

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.1.0 > 7.0.0)

2022-07-08 16:32:07

BuiltIn

Security Center

Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data

Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task.

Fixed
deployIfNotExists

change

Minor (4.0.1 > 4.1.0)

2022-07-08 16:32:07

BuiltIn

Monitoring

d627d7c6-ded5-481a-8f2e-7e16b1e6faf6

Configure Log Analytics extension on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.1 > 2.1.0)

2022-07-08 16:32:07

BuiltIn

Internet of Things

Deploy - Configure IoT Central to use private DNS zones

Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Central private endpoints.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-08 16:32:07

BuiltIn

Kubernetes

549814b6-3212-4203-bdc8-1548d342fb67

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.2.0 > 7.0.0)

2022-07-08 16:32:07

BuiltIn

API Management

API Management minimum API version should be set to 2019-12-01 or higher

To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-08 16:32:07

BuiltIn

Kubernetes

[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (5.0.3-preview > 6.0.0-preview)

2022-07-08 16:32:07

BuiltIn

Managed Identity

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2022-07-08 16:32:07

BuiltIn

API Management

f1cc7827-022c-473e-836e-5a51cae0b249

API Management APIs should use only encrypted protocols

To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (2.0.0 > 2.0.1)

2022-07-08 16:32:07

BuiltIn

API Management

API Management secret named values should be stored in Azure Key Vault

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.0 > 1.0.1)

2022-07-08 16:32:07

BuiltIn

Security Center

5b9d063f-c5fd-4750-a489-1258d1fefcbf

Deploy export to Event Hub for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

change

Minor (4.0.1 > 4.1.0)

2022-07-08 16:32:07

BuiltIn

Internet of Things

Configure Azure Device Update for IoT Hub accounts with private endpoint

A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-07-08 16:32:07

BuiltIn

Guest Configuration

828ba269-bf7f-4082-83dd-633417bc391d

Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines

Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-07-08 16:32:07

BuiltIn

App Service

2b9ad585-36bc-4615-b300-fd4435808332

App Service apps should use managed identity

Use a managed identity for enhanced authentication security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

88999f4c-376a-45c8-bcb3-4058f713cf39

[Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app

Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Java should use the latest 'Java version'', which is scoped to include API apps in addition to Web apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

App Service app slots should have local authentication methods disabled for SCM site deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

Function apps should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

Kubernetes

0820b7b9-23aa-4725-a1ce-ae4558f718e5

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.1 > 5.0.2)

2022-07-01 16:32:34

BuiltIn

App Service

Function apps should not have CORS configured to allow every resource to access your apps

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b

App Service apps should require FTPS only

Enable FTPS enforcement for enhanced security.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

cb510bfd-1cba-4d9f-a230-cb0976f4bb71

App Service apps should have remote debugging turned off

Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

Kubernetes

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.2.1 > 5.0.0)

2022-07-01 16:32:34

BuiltIn

Kubernetes

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, new suffix: preview (6.1.1 > 6.1.2-preview)

2022-07-01 16:32:34

BuiltIn

App Service

8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e

App Service app slots should have local authentication methods disabled for FTP deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

[Deprecated]: Latest TLS version should be used in your API App

Upgrade to the latest TLS version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use the latest TLS version', which is scoped to include API apps in addition to Web Apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

0e60b895-3786-45da-8377-9c6b4b6ac5f9

Configure App Service app slots to disable local authentication for FTP deployments

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

Function apps should have remote debugging turned off

Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

Configure App Service apps to disable local authentication for SCM sites

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

Function apps should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

App Service apps that use Java should use a specified 'Java version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

App Service apps should use latest 'HTTP Version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

Function apps that use Java should use a specified 'Java version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

Kubernetes

b318f84a-b872-429b-ac6d-a01b96814452

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.1.1 > 4.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

Configure App Service apps to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

0da106f2-4ca3-48e8-bc85-c638fe6aea8f

App Service apps should have local authentication methods disabled for SCM site deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

Function apps should use managed identity

Use a managed identity for enhanced authentication security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

dcbc65aa-59f3-4239-8978-3bb869d82604

App Service apps should use an Azure file share for its content directory

Default
Audit
Allowed
Audit, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

991310cd-e9f3-47bc-b7b6-f57b557d07db

[Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app

Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use latest 'HTTP Version'', which is scoped to include API apps in addition to Web Apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

324c7761-08db-4474-9661-d1039abc92ee

[Deprecated]: API apps should use an Azure file share for its content directory

The content directory of an API app should be located on an Azure file share. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use an Azure file shares for its content directory', which is scoped to include API apps in addition to Web Apps.

Default
Audit
Allowed
Audit, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

399b2637-a50f-4f95-96f8-3a145476eb15

Function apps should require FTPS only

Enable FTPS enforcement for enhanced security.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

Kubernetes

fb74e86f-d351-4b8d-b034-93da7391c01f

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.2.1 > 5.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

App Service Environment should have internal encryption enabled

Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

[Deprecated]: API apps that use Python should use the latest 'Python version'

Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps that use Python should use the latest 'Python version''.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

App Service apps that use PHP should use a specified 'PHP version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.2.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

Function apps that use Python should use a specified 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

Configure App Service apps to disable local authentication for FTP deployments

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.1 > 6.0.2)

2022-07-01 16:32:34

BuiltIn

App Service

App Service apps should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

App Service apps should have local authentication methods disabled for FTP deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

4d0bc837-6eff-477e-9ecd-33bf8d4212a5

App Service apps that use Python should use a specified 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

Function apps should use an Azure file share for its content directory

Default
Audit
Allowed
Audit, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

change

Major (1.0.1 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app

Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps that use PHP should use the latest 'PHP version'', which is scoped to include API apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.1.0 > 2.1.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

0c192fe8-9cbb-4516-85b3-0ade8bd03886

Configure App Service app slots to disable local authentication for SCM sites

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

[Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled

Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have 'Client Certificates (Incoming client certificates)' enabled', which is scoped to include API apps in addition to Web Apps.

Default
Audit
Allowed
Audit, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

687aa49d-0982-40f8-bf6b-66d1da97a04b

App Service apps should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

[Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

5744710e-cc2f-4ee8-8809-3b11e89f4bc9

App Service apps should have resource logs enabled

Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

App Service apps should not have CORS configured to allow every resource to access your apps

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

c4d441f8-f9d9-4a9e-9cef-e82117cb3eef

App Service apps should be injected into a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

[Deprecated]: Managed identity should be used in your API App

Use a managed identity for enhanced authentication security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should use managed identity', which is scoped to include API apps in addition to Web Apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

Function apps should use latest 'HTTP Version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

Kubernetes

6c66c325-74c8-42fd-a286-a74b0e2939d8

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (7.2.0 > 8.0.0)

2022-07-01 16:32:34

BuiltIn

Kubernetes

Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace

Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

c4ebc54a-46e1-481a-bee2-d4411e95d828

[Deprecated]: Authentication should be enabled on your API app

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. We recommend all customers who are still using API apps to implement the built-in policy called 'App Service apps should have authentication enabled', which is scoped to include API apps in addition to Web apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8

Function apps should have authentication enabled

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-07-01 16:32:34

BuiltIn

App Service

95bccee9-a7f8-4bec-9ee9-62c3473701fc

App Service apps should have authentication enabled

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-07-01 16:32:34

BuiltIn

App Service

358c20a6-3f9e-4f0e-97ff-c6ce485e2aac

[Deprecated]: CORS should not allow every resource to access your API App

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should not have CORS configured to allow every resource to access your apps', which is scoped to include API apps in addition to Web Apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

Kubernetes

9a1b8c48-453a-4044-86c3-d8bfd823e4f5

[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, new suffix: preview (5.0.2 > 5.0.3-preview)

2022-07-01 16:32:34

BuiltIn

App Service

[Deprecated]: FTPS only should be required in your API App

Enable FTPS enforcement for enhanced security. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should require FTPS only', which is scoped to include API apps in addition to Web Apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

e9c8d085-d9cc-4b17-9cdc-059f1f01f19e

[Deprecated]: Remote debugging should be turned off for API Apps

Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should have remote debugging turned off', which is scoped to include API apps in addition to Web Apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-07-01 16:32:34

BuiltIn

App Service

d6545c6b-dd9d-4265-91e6-0b451e2f1c50

App Service Environment should have TLS 1.0 and 1.1 disabled

TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-07-01 16:32:34

BuiltIn

Security Center

Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

change

Patch (4.0.0 > 4.0.1)

2022-06-24 19:15:47

BuiltIn

Kubernetes

[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, old suffix: preview (5.0.1-preview > 5.0.2)

2022-06-24 19:15:47

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets

Fixed
deployIfNotExists

change

Major (2.0.0 > 3.0.0)

2022-06-24 19:15:47

BuiltIn

Backup

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (8.0.0 > 9.0.0)

2022-06-24 19:15:47

BuiltIn

Kubernetes

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (3.1.0-preview > 3.1.1)

2022-06-24 19:15:47

BuiltIn

Kubernetes

Azure Kubernetes Service clusters should have Defender profile enabled

Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks

Default
Audit
Allowed
Audit, Disabled

change

Patch, old suffix: preview (1.0.2-preview > 1.0.3)

2022-06-24 19:15:47

BuiltIn

Monitoring

Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2022-06-24 19:15:47

BuiltIn

Monitoring

Deploy - Configure Dependency agent to be enabled on Windows virtual machines

Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2022-06-24 19:15:47

BuiltIn

Backup

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (8.0.0 > 9.0.0)

2022-06-24 19:15:47

BuiltIn

API Management

API Management APIs should use only encrypted protocols

To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (1.0.0 > 2.0.0)

2022-06-24 19:15:47

BuiltIn

Guest Configuration

[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2022-06-24 19:15:47

BuiltIn

Security Center

Deploy Workflow Automation for Microsoft Defender for Cloud recommendations

Fixed
deployIfNotExists

change

Major (4.0.0 > 5.0.0)

2022-06-24 19:15:47

BuiltIn

Kubernetes

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, old suffix: preview (6.1.0-preview > 6.1.1)

2022-06-24 19:15:47

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (8.0.0 > 9.0.0)

2022-06-24 19:15:47

BuiltIn

Security Center

Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance

Fixed
deployIfNotExists

change

Major (4.0.0 > 5.0.0)

2022-06-24 19:15:47

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (8.0.0 > 9.0.0)

2022-06-24 19:15:47

BuiltIn

Monitoring

46238e2f-3f6f-4589-9f3f-77bed4116e67

Deploy Dependency agent for Linux virtual machines

Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed.

Fixed
deployIfNotExists

change

Major (2.0.0 > 3.0.0)

2022-06-24 19:15:47

BuiltIn

Kubernetes

Azure Kubernetes Clusters should use Azure CNI

Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-06-24 19:15:47

BuiltIn

Security Center

Deploy export to Event Hub for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

change

Patch (4.0.0 > 4.0.1)

2022-06-24 19:15:47

BuiltIn

Security Center

Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess

Deploy Workflow Automation for Microsoft Defender for Cloud alerts

Fixed
deployIfNotExists

change

Major (4.0.0 > 5.0.0)

2022-06-24 19:15:47

BuiltIn

Machine Learning

Deny public access of Azure Machine Learning clusters via SSH

Deny public access of Azure Machine Learning clusters via SSH.

Default
Deny
Allowed
Audit, Disabled, Deny

change

Minor (1.0.0 > 1.1.0)

2022-06-17 17:16:31

ALZ

Storage

Deploy-Storage-sslEnforcement

Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-06-17 17:16:31

ALZ

Monitoring

Deploy-Diagnostics-Bastion

[Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-06-17 17:16:31

ALZ

Monitoring

Deploy-Diagnostics-MlWorkspace

[Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-06-17 17:16:31

ALZ

Monitoring

[Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-06-17 17:16:31

ALZ

Monitoring

Deploy-Diagnostics-WVDWorkspace

[Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-06-17 17:16:31

ALZ

Monitoring

Deploy-Diagnostics-WVDAppGroup

[Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-06-17 17:16:31

ALZ

Monitoring

Deploy-Diagnostics-AVDScalingPlans

[Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-06-17 17:16:31

ALZ

Kubernetes

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (7.2.0 > 8.0.0)

2022-06-17 16:31:08

BuiltIn

API Management

92bb331d-ac71-416a-8c91-02f2cb734ce4

API Management APIs should use only encrypted protocols

To ensure security of data in transit, APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-06-17 16:31:08

BuiltIn

API Management

API Management calls to API backends should not bypass certificate thumbprint or name validation

To improve the API security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-06-17 16:31:08

BuiltIn

API Management

549814b6-3212-4203-bdc8-1548d342fb67

API Management minimum API version should be set to 2019-12-01 or higher

To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2022-06-17 16:31:08

BuiltIn

Machine Learning

[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed pull policy

Restrict containers' pull policy to enforce containers to use only allowed images on deployments

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.2.0 > 2.0.0)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.2.0 > 4.2.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.1 > 6.0.2)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.2.0 > 6.0.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

f1cc7827-022c-473e-836e-5a51cae0b249

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.0 > 7.0.1)

2022-06-17 16:31:08

BuiltIn

API Management

API Management secret named values should be stored in Azure Key Vault

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.3.0 > 3.3.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

c15dcc82-b93c-4dcb-9332-fbf121685b54

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.2.0 > 4.0.1)

2022-06-17 16:31:08

BuiltIn

API Management

API Management calls to API backends should be authenticated

Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-06-17 16:31:08

BuiltIn

API Management

3aa03346-d8c5-4994-a5bc-7652c2a2aef1

API Management subscriptions should not be scoped to all APIs

API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-06-17 16:31:08

BuiltIn

API Management

b741306c-968e-4b67-b916-5675e5c709f4

API Management direct management endpoint should not be enabled

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.2.0 > 4.2.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2022-06-17 16:31:08

BuiltIn

Container Registry

Container registries should not allow unrestricted network access

Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific private endpoints, public IP addresses or address ranges. If your registry doesn't have network rules configured, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/privatelink, https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.1.0 > 2.0.0)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.2.0 > 4.2.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Ensure cluster containers have readiness or liveness probes configured

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.1.0 > 2.0.0)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.1.0 > 3.1.1)

2022-06-17 16:31:08

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2022-06-17 16:31:08

BuiltIn

Monitoring

a06d0189-92e8-4dba-b0c4-08d7669fce7d

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.1 > 3.0.0)

2022-06-10 16:31:21

BuiltIn

Storage

Configure storage accounts to disable public network access

To improve the security of Storage Accounts, ensure that they aren't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/storageaccountpublicnetworkaccess. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-06-10 16:31:21

BuiltIn

Kubernetes

Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit

Default
Audit
Allowed
Audit, Disabled

change

Major (1.0.1 > 2.0.0)

2022-06-10 16:31:21

BuiltIn

Key Vault

b2982f36-99f2-4db5-8eff-283140c09693

Azure Key Vault should have firewall enabled or public network access disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, old suffix: preview (2.0.0-preview > 3.0.0)

2022-06-10 16:31:21

BuiltIn

Storage

Storage accounts should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-06-10 16:31:21

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.2.0 > 5.0.0)

2022-06-10 16:31:21

BuiltIn

App Service

App Service apps should use a SKU that supports private link

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2022-06-10 16:31:21

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (7.1.0 > 8.0.0)

2022-06-10 16:31:21

BuiltIn

Machine Learning

[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)

2022-06-10 16:31:21

BuiltIn

Machine Learning

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview)

2022-06-10 16:31:21

BuiltIn

Monitoring

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.1 > 3.0.0)

2022-06-10 16:31:21

BuiltIn

Monitoring

Deploy - Configure Dependency agent to be enabled on Windows virtual machines

Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2022-06-10 16:31:21

BuiltIn

Monitoring

Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2022-06-10 16:31:21

BuiltIn

Machine Learning

[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes

Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (5.0.0-preview > 5.1.0-preview)

2022-06-10 16:31:21

BuiltIn

Kubernetes

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.2.0 > 4.0.0)

2022-06-10 16:31:21

BuiltIn

Kubernetes

405c5871-3e91-4644-8a63-58e19d68ff5b

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.1.0 > 3.0.0)

2022-06-10 16:31:21

BuiltIn

Key Vault

Azure Key Vault should disable public network access

Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-06-10 16:31:21

BuiltIn

Machine Learning

ac673a9a-f77d-4846-b2d8-a57f8e1c01dc

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (6.0.1-preview > 6.1.0-preview)

2022-06-10 16:31:21

BuiltIn

Key Vault

Configure key vaults to enable firewall

Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security

Default
Modify
Allowed
Modify, Disabled

change

Minor, old suffix: preview (1.0.0-preview > 1.1.1)

2022-06-10 16:31:21

BuiltIn

Security Center

[Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.1-preview > 1.1.1-preview)

2022-06-07 16:30:19

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should not overcommit cpu and memory

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-06-07 16:30:19

BuiltIn

Kubernetes

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.2.0 > 3.0.0)

2022-06-07 16:30:19

BuiltIn

Machine Learning

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (5.0.0-preview > 6.0.1-preview)

2022-06-07 16:30:19

BuiltIn

Security Center

[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines

Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)

2022-06-07 16:30:19

BuiltIn

Security Center

[Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-06-07 16:30:19

BuiltIn

Kubernetes

Kubernetes resources should have required annotations

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-06-07 16:30:19

BuiltIn

Security Center

a4af4a39-4135-47fb-b175-47fbdf85311d

[Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-06-07 16:30:19

BuiltIn

App Service

App Service apps should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (1.0.0 > 2.0.0)

2022-06-07 16:30:19

BuiltIn

Kubernetes

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (6.0.0-preview > 6.1.0-preview)

2022-06-07 16:30:19

BuiltIn

Kubernetes

[Preview]: Kubernetes clusters should restrict creation of given resource type

Given Kubernetes resource type should not be deployed in certain namespace.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-06-07 16:30:19

BuiltIn

Machine Learning

[Preview]: Configure allowed registries for specified Azure Machine Learning computes

Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)

2022-06-07 16:30:19

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed pull policy

Restrict containers' pull policy to enforce containers to use only allowed images on deployments

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.1.0 > 1.2.0)

2022-06-07 16:30:19

BuiltIn

Kubernetes

ac076320-ddcf-4066-b451-6154267e8ad2

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2022-06-07 16:30:19

BuiltIn

Security Center

Enable Microsoft Defender for Cloud on your subscription

Identifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features. Subscriptions already monitored will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task.

Fixed
deployIfNotExists

change

Patch (1.0.0 > 1.0.1)

2022-06-07 16:30:19

BuiltIn

Guest Configuration

e79ffbda-ff85-465d-ab8e-7e58a557660f

[Preview]: Linux machines with OMI installed should have version 1.6.8-1 or later

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-06-07 16:30:19

BuiltIn

Security Center

[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (5.0.1-preview > 5.1.1-preview)

2022-06-07 16:30:19

BuiltIn

Managed Identity

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, new suffix: preview (1.0.0 > 1.0.1-preview)

2022-06-07 16:30:19

BuiltIn

Machine Learning

[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-06-07 16:30:19

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-06-07 16:30:19

BuiltIn

Machine Learning

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)

2022-06-07 16:30:19

BuiltIn

App Service

70aa7a1c-b0c7-4b2f-922b-8489d97cbb9f

Function apps should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (1.0.0 > 2.0.0)

2022-06-07 16:30:19

BuiltIn

Guest Configuration

[Preview]: Linux machines should meet requirements for the Azure security baseline for Docker hosts

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-06-07 16:30:19

BuiltIn

Machine Learning

[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-06-07 16:30:19

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2022-06-07 16:30:19

BuiltIn

Kubernetes

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.0.3-preview > 3.1.0-preview)

2022-06-07 16:30:19

BuiltIn

Machine Learning

4eb909e7-6d64-656d-6465-2eeb297a1625

[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes

Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-06-07 16:30:19

BuiltIn

Security Center

[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines

Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)

2022-06-07 16:30:19

BuiltIn

Security Center

b7ddfbdc-1260-477d-91fd-98bd9be789a6

[Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-06-07 16:30:19

BuiltIn

App Service

[Deprecated]: API App should only be accessible over HTTPS

Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. We recommend all customers who are still using API Apps to implement the built-in policy called 'App Service apps should only be accessible over HTTPS', which is scoped to include API apps in addition to Web Apps.

Default
Audit
Allowed
Audit, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-06-07 16:30:19

BuiltIn

Security Center

37c043a6-6d64-656d-6465-b362dfeb354a

[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-06-07 16:30:19

BuiltIn

Security Center

[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines

Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)

2022-06-07 16:30:19

BuiltIn

Managed Identity

1ec9c2c2-6d64-656d-6465-3ec3309b8579

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Patch, new suffix: preview (1.0.0 > 1.0.1-preview)

2022-06-07 16:30:19

BuiltIn

Security Center

[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines

Deploys Microsoft Defender for Endpoint on applicable Windows VM images.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)

2022-06-07 16:30:19

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.2.0 > 4.0.0)

2022-06-07 16:30:19

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should only run with approved user and domain user group

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-06-07 16:30:19

BuiltIn

Kubernetes

83c6fe0f-2316-444a-99a1-1ecd8a7872ca

Kubernetes cluster should not use naked pods

Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-06-07 16:30:19

BuiltIn

Storage

Configure a private DNS Zone ID for dfs groupID

Configure private DNS zone group to override the DNS resolution for a dfs groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Kubernetes

9b597639-28e4-48eb-b506-56b05d366257

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.2.0 > 5.0.0)

2022-05-27 20:20:35

BuiltIn

Compute

Microsoft IaaSAntimalware extension should be deployed on Windows servers

This policy audits any Windows server VM without Microsoft IaaSAntimalware extension deployed.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-05-27 20:20:35

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.2.0 > 5.0.0)

2022-05-27 20:20:35

BuiltIn

Security Center

6df98d03-368a-4438-8730-a93c4d7693d6

[Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2022-05-27 20:20:35

BuiltIn

Storage

Configure a private DNS Zone ID for file groupID

Configure private DNS zone group to override the DNS resolution for a file groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Storage

a06d0189-92e8-4dba-b0c4-08d7669fce7d

Configure storage accounts to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Storage

b2982f36-99f2-4db5-8eff-283140c09693

Storage accounts should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Storage

da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6

Configure a private DNS Zone ID for queue_secondary groupID

Configure private DNS zone group to override the DNS resolution for a queue_secondary groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Compute

2835b622-407b-4114-9198-6f7064cbe0dc

Deploy default Microsoft IaaSAntimalware extension for Windows Server

This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.

Fixed
deployIfNotExists

change

Minor (1.0.0 > 1.1.0)

2022-05-27 20:20:35

BuiltIn

Kubernetes

028bbd88-e9b5-461f-9424-a1b63a7bee1a

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.2.0 > 6.0.0)

2022-05-27 20:20:35

BuiltIn

Storage

Configure a private DNS Zone ID for table groupID

Configure private DNS zone group to override the DNS resolution for a table groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Container Apps

8b346db6-85af-419b-8557-92cee2c0f9bb

Container App environments should use network injection

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.0 > 1.0.1)

2022-05-27 20:20:35

BuiltIn

Storage

90bd4cb3-9f59-45f7-a6ca-f69db2726671

Configure a private DNS Zone ID for dfs_secondary groupID

Configure private DNS zone group to override the DNS resolution for a dfs_secondary groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Storage

75973700-529f-4de2-b794-fb9b6781b6b0

Configure a private DNS Zone ID for blob groupID

Configure private DNS zone group to override the DNS resolution for a blob groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Guest Configuration

d847d34b-9337-4e2d-99a5-767e5ac9c582

Configure time zone on Windows machines.

This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines.

Fixed
deployIfNotExists

change

Major (1.1.0 > 2.0.0)

2022-05-27 20:20:35

BuiltIn

Storage

Configure a private DNS Zone ID for blob_secondary groupID

Configure private DNS zone group to override the DNS resolution for a blob_secondary groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Kubernetes

9adab2a5-05ba-4fbd-831a-5bf958d04218

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.3.0 > 7.0.0)

2022-05-27 20:20:35

BuiltIn

Storage

Configure a private DNS Zone ID for web groupID

Configure private DNS zone group to override the DNS resolution for a web groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.1.0 > 6.0.0)

2022-05-27 20:20:35

BuiltIn

Kubernetes

50553764-7777-43cf-bf12-8647e0b9ba01

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.2.0 > 5.0.0)

2022-05-27 20:20:35

BuiltIn

Maps

CORS should not allow every resource to access your map account.

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your map account. Allow only required domains to interact with your map account.

Default
Audit
Allowed
Disabled, Audit, Deny

add

new Policy

2022-05-27 20:20:35

BuiltIn

Kubernetes

c1d634a5-f73d-4cdd-889f-2cc7006eb47f

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.1.0 > 4.0.0)

2022-05-27 20:20:35

BuiltIn

Storage

Configure a private DNS Zone ID for table_secondary groupID

Configure private DNS zone group to override the DNS resolution for a table_secondary groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Storage

d19ae5f1-b303-4b82-9ca8-7682749faf0c

Configure a private DNS Zone ID for web_secondary groupID

Configure private DNS zone group to override the DNS resolution for a web_secondary groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Storage

bcff79fb-2b0d-47c9-97e5-3023479b00d1

Configure a private DNS Zone ID for queue groupID

Configure private DNS zone group to override the DNS resolution for a queue groupID private endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-27 20:20:35

BuiltIn

Key Vault

e58fd0c1-feac-4d12-92db-0a7e9421f53e

[Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-23 08:52:47

BuiltIn

Machine Learning

ad27588c-0198-4c84-81ef-08efd0274653

Azure Machine Learning Workspaces should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.3.0 > 2.0.0)

2022-05-23 08:52:47

BuiltIn

Key Vault

[Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-23 08:52:47

BuiltIn

Key Vault

1d478a74-21ba-4b9f-9d8f-8e6fced0eec5

[Preview]: Azure Key Vault Managed HSM keys should have an expiration date

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-23 08:52:47

BuiltIn

Managed Identity

5e7e928c-8693-4a23-9bf3-1c77b9a8fe97

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2022-05-23 08:52:47

BuiltIn

Attestation

Azure Attestation providers should disable public network access

To improve the security of Azure Attestation Service, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in aka.ms/azureattestation. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-23 08:52:47

BuiltIn

Managed Identity

2393d2cf-a342-44cd-a2e2-fe0188fd1234

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2022-05-23 08:52:47

BuiltIn

SignalR

Azure SignalR Service should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-05-23 08:52:47

BuiltIn

Web PubSub

eb907f70-7514-460d-92b3-a5ae93b4f917

Azure Web PubSub Service should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-05-23 08:52:47

BuiltIn

Key Vault

86810a98-8e91-4a44-8386-ec66d0de5d57

[Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-23 08:52:47

BuiltIn

Kubernetes

5b9d063f-c5fd-4750-a489-1258d1fefcbf

[Preview]: Kubernetes clusters should restrict creation of given resource type

Given Kubernetes resource type should not be deployed in certain namespace.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-23 08:52:47

BuiltIn

Internet of Things

Configure Azure Device Update for IoT Hub accounts with private endpoint

A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your Device Update for IoT hub to allow services inside your virtual network to reach this resource without requiring traffic to be sent to Device Update for IoT Hub's public endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

Container Apps

d074ddf8-01a5-4b5e-a2b8-964aed452c0a

Container Apps environment should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

SQL

d9844e8a-1437-4aeb-a32c-0c992f056095

Public network access should be disabled for MySQL servers

Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.2 > 2.0.0)

2022-05-16 16:31:13

BuiltIn

Container Apps

2b585559-a78e-4cc4-b1aa-fb169d2f6b96

Authentication should be enabled on Container Apps

Container Apps Authentication is a feature that can prevent anonymous HTTP requests from reaching the Container App, or authenticate those that have tokens before they reach the Container App

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

Security Center

d9f1f9a9-8795-49f9-9e7b-e11db14caeb2

Configure machines to receive a vulnerability assessment provider

Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, old suffix: preview (3.1.0-preview > 4.0.0)

2022-05-16 16:31:13

BuiltIn

SignalR

Azure SignalR Service should enable diagnostic logs

Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

Container Apps

7c9f3fbb-739d-4844-8e42-97e3be6450e0

Container App should configure with volume mount

Enforce the use of volume mounts for Container Apps to ensure availability of persistent storage capacity.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

Internet of Things

510ec8b2-cb9e-461d-b7f3-6b8678c31182

Public network access for Azure Device Update for IoT Hub accounts should be disabled

Disabling the public network access property improves security by ensuring your Azure Device Update for IoT Hub accounts can only be accessed from a private endpoint.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

SQL

783ea2a8-b8fd-46be-896a-9ae79643a0b1

Public network access should be disabled for PostgreSQL servers

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.2 > 2.0.0)

2022-05-16 16:31:13

BuiltIn

Container Apps

Container Apps should disable external network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

Container Apps

0e80e269-43a4-4ae9-b5bc-178126b8a5cb

Container Apps should only be accessible over HTTPS

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

Web PubSub

ee8a7be2-e9b5-47b9-9d37-d9b141ea78a4

Azure Web PubSub Service should enable diagnostic logs

Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

Bot Service

5e8168db-69e3-4beb-9822-57cb59202a9d

Bot Service should have public network access disabled

Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

Internet of Things

a222b93a-e6c2-4c01-817f-21e092455b2a

Configure Azure Device Update for IoT Hub accounts to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

Internet of Things

27573ebe-7ef3-4472-a8e1-33aef9ea65c5

Configure Azure Device Update for IoT Hub accounts to disable public network access

Disabling the public network access property improves security by ensuring your Device Update for IoT Hub can only be accessed from a private endpoint. This policy disables public network access on Device Update for IoT Hub resources.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

SQL

fdccbe47-f3e3-4213-ad5d-ea459b2fa077

Public network access should be disabled for MariaDB servers

Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.2 > 2.0.0)

2022-05-16 16:31:13

BuiltIn

Container Apps

b874ab2d-72dd-47f1-8cb5-4a306478a4e7

Managed Identity should be enabled for Container Apps

Enforcing managed identity ensures Container Apps can securely authenticate to any resource that supports Azure AD authentication

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-05-16 16:31:13

BuiltIn

SQL

86a912f6-9a06-4e26-b447-11b16ba8659f

Deploy SQL DB transparent data encryption

Enables transparent data encryption on SQL databases

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-05-06 16:29:23

BuiltIn

Monitoring

da6e2401-19da-4532-9141-fb8fbde08431

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2022-05-06 16:29:23

BuiltIn

Kubernetes

Azure Kubernetes Service Clusters should use managed identities

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-05-06 16:29:23

BuiltIn

Monitoring

Linux virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-05-06 16:29:23

BuiltIn

Monitoring

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2022-05-06 16:29:23

BuiltIn

Monitoring

6646a0bd-e110-40ca-bb97-84fcee63c414

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.1.1 > 2.0.0)

2022-05-06 16:29:23

BuiltIn

Security Center

[Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates

[Deprecated: With Cloud Services (classic) retiring (see https://azure.microsoft.com/updates/cloud-services-retirement-announcement), there will no longer be a need for this assessment as management certificates will be obsolete.] Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2022-05-06 16:29:23

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-05-06 16:29:23

BuiltIn

Machine Learning

Azure Machine Learning Workspaces should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.2.0 > 1.3.0)

2022-05-06 16:29:23

BuiltIn

Monitoring

50c52fc9-cb21-4d99-9031-d6a0c613361c

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-05-06 16:29:23

BuiltIn

Guest Configuration

[Preview]: Windows machines should meet STIG compliance requirements for Azure compute

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in STIG compliance requirements for Azure compute. DISA (Defense Information Systems Agency) provides technical guides STIG (Security Technical Implementation Guide) to secure compute OS as required by Department of Defense (DoD). For more details, https://public.cyber.mil/stigs/.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-05-06 16:29:23

BuiltIn

Monitoring

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2022-05-06 16:29:23

BuiltIn

Monitoring

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (3.0.1 > 4.0.0)

2022-05-06 16:29:23

BuiltIn

Security Center

8b346db6-85af-419b-8557-92cee2c0f9bb

Configure machines to receive a vulnerability assessment provider

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (3.0.0-preview > 3.1.0-preview)

2022-05-06 16:29:23

BuiltIn

Container Apps

Container App environments should use network injection

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2022-05-06 16:29:23

BuiltIn

Monitoring

Linux virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-05-06 16:29:23

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.1.0 > 5.2.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

8b5c654c-fb07-471b-aa8f-15fea733f140

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.1.0 > 4.2.0)

2022-04-29 18:06:01

BuiltIn

Synapse

Configure Azure Synapse Workspace Dedicated SQL minimum TLS version

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.1.0 > 4.2.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.1.0 > 6.2.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Ensure cluster containers have readiness or liveness probes configured

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-29 18:06:01

BuiltIn

Azure Update Manager

Configure periodic checking for missing system updates on azure Arc-enabled servers

Fixed
modify

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-04-29 18:06:01

BuiltIn

Kubernetes

cb3738a6-82a2-4a18-b87b-15217b9deff4

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.2.0 > 6.3.0)

2022-04-29 18:06:01

BuiltIn

Synapse

Azure Synapse Workspace SQL Server should be running TLS version 1.2 or newer

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-04-29 18:06:01

BuiltIn

Azure Update Manager

3e13d504-9083-4912-b935-39a085db2249

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-04-29 18:06:01

BuiltIn

Lab Services

Lab Services should restrict allowed virtual machine SKU sizes

This policy enables you to restrict certain Compute VM SKUs for labs managed through Lab Services. This will restrict certain virtual machine sizes.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-04-29 18:06:01

BuiltIn

Lab Services

0fd9915e-cab3-4f24-b200-6e20e1aa276a

Lab Services should require non-admin user for labs

This policy requires non-admin user accounts to be created for the labs managed through lab-services.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-04-29 18:06:01

BuiltIn

Kubernetes

6c66c325-74c8-42fd-a286-a74b0e2939d8

Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace

Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-04-29 18:06:01

BuiltIn

Backup

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (7.1.0 > 8.0.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.1.0 > 4.2.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster Windows containers should not overcommit cpu and memory

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.1.0 > 4.2.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.1.0 > 7.2.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (5.1.0-preview > 6.0.0-preview)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.1.0 > 4.2.0)

2022-04-29 18:06:01

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (7.1.0 > 8.0.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

a6e9cf2d-7d76-440e-b795-8da246bd3aab

Kubernetes cluster containers should only use allowed pull policy

Restrict containers' pull policy to enforce containers to use only allowed images on deployments

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-29 18:06:01

BuiltIn

Lab Services

Lab Services should enable all options for auto shutdown

This policy provides helps with cost management by enforcing all automatic shutdown options are enabled for a lab.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.2.0 > 3.3.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, suffix remains equal (5.0.0-preview > 5.0.1-preview)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.1.0 > 3.2.0)

2022-04-29 18:06:01

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (7.1.0 > 8.0.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

e8a5a3eb-1ab6-4657-a701-7ae432cf14e1

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.1.0 > 4.2.0)

2022-04-29 18:06:01

BuiltIn

Lab Services

Lab Services should not allow template virtual machines for labs

This policy prevents creation and customization of a template virtual machines for labs managed through Lab Services.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-04-29 18:06:01

BuiltIn

Backup

52630df9-ca7e-442b-853b-c6ce548b31a2

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (7.1.0 > 8.0.0)

2022-04-29 18:06:01

BuiltIn

Web PubSub

[Deprecated]: Azure Web PubSub Service should use private link

The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/eb907f70-7514-460d-92b3-a5ae93b4f917 instead.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, new suffix: deprecated (1.0.0 > 1.0.1-deprecated)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.1.0 > 7.2.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.1.0 > 3.2.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.1.0 > 3.2.0)

2022-04-29 18:06:01

BuiltIn

SignalR

[Deprecated]: Azure SignalR Service should use private link

The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.1.0 > 4.2.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.1.0 > 4.2.0)

2022-04-29 18:06:01

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed pull policy

Restrict containers' pull policy to enforce containers to use only allowed images on deployments

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-04-22 19:50:54

BuiltIn

Kubernetes

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (4.1.0-preview > 5.1.0-preview)

2022-04-22 19:50:54

BuiltIn

Monitoring

Windows virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-04-22 19:50:54

BuiltIn

SQL

Public network access should be disabled for PostgreSQL flexible servers

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2022-04-22 19:50:54

BuiltIn

Kubernetes

[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-04-22 19:50:54

BuiltIn

Monitoring

fe83a0eb-a853-422d-aac2-1bffd182c5d0

Windows virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-04-22 19:50:54

BuiltIn

Storage

Storage accounts should have the specified minimum TLS version

Configure a minimum TLS version for secure communication between the client application and the storage account. To minimize security risk, the recommended minimum TLS version is the latest released version, which is currently TLS 1.2.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-04-22 19:50:54

BuiltIn

Security Center

[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines

Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-04-15 17:17:14

BuiltIn

Kubernetes

ea6c4923-510a-4346-be26-1894919a5b97

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.1.0 > 6.2.0)

2022-04-15 17:17:14

BuiltIn

Stream Analytics

Stream Analytics job should use managed identity to authenticate endpoints

Ensure that Stream Analytics jobs only connect to endpoints using managed identity authentication.

Default
Audit
Allowed
Deny, Disabled, Audit

add

new Policy

2022-04-15 17:17:14

BuiltIn

Kubernetes

73868911-4f4a-444f-adbd-5382bf70208a

Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed

Open Service Mesh extension provides all standard service mesh capabilities for security, traffic management and observability of application services. Learn more here: https://aka.ms/arc-osm-doc

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2022-04-15 17:17:14

BuiltIn

Security Center

4eb909e7-6d64-656d-6465-2eeb297a1625

[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines

Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-04-15 17:17:14

BuiltIn

Security Center

37c043a6-6d64-656d-6465-b362dfeb354a

[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines

Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-04-15 17:17:14

BuiltIn

Security Center

1ec9c2c2-6d64-656d-6465-3ec3309b8579

[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines

Deploys Microsoft Defender for Endpoint on applicable Windows VM images.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-04-15 17:17:14

BuiltIn

Cache

Deny-VNET-Peering-To-Non-Approved-VNETs

[Deprecated]: Azure Cache for Redis should reside within a virtual network

Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated)

2022-04-15 17:17:14

BuiltIn

Network

Deny vNet peering to non-approved vNets

This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2022-04-11 11:16:38

ALZ

Backup

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (6.1.0 > 7.1.0)

2022-04-08 16:22:13

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (6.1.0 > 7.1.0)

2022-04-08 16:22:13

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-04-08 16:22:13

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (6.1.0 > 7.1.0)

2022-04-08 16:22:13

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (4.0.0 > 4.0.1)

2022-04-08 16:22:13

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-04-08 16:22:13

BuiltIn

Backup

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (6.1.0 > 7.1.0)

2022-04-08 16:22:13

BuiltIn

Monitoring

ea0dfaed-95fb-448c-934e-d6e713ce393d

Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-04-08 16:22:13

BuiltIn

Monitoring

Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)

To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

e54c325e-42a0-4dcf-b105-046e0f6f590f

Microsoft Managed Control 1716 - Software & Information Integrity | Integration Of Detection And Response

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

a36eb487-cbd1-4fe7-a3df-2efc6aa2c2b6

Microsoft Managed Control 1745 - Risk Management Strategy

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

6519d7f3-e8a2-4ff3-a935-9a9497152ad7

Microsoft Managed Control 1441 - Media Sanitization And Disposal | Equipment Testing

Microsoft implements this Media Protection control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b

Microsoft Managed Control 1304 - User Identification And Authentication | Local Access To Non-Privileged Accounts

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

84e622c8-4bed-417c-84c6-b2fb0dd73682

Microsoft Managed Control 1307 - User Identification And Authentication | Network Access To Non-Privileged Accounts - Replay...

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

b23bd715-5d1c-4e5c-9759-9cbdf79ded9d

Microsoft Managed Control 1091 - Security Awareness

Microsoft implements this Awareness and Training control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

1fa50212-51a9-471b-95cf-3a23410ec9e9

Microsoft Managed Control 1730 - Information Security Program Plan

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

106618ad-fe3e-49b4-bfef-01009f6770d8

Microsoft Managed Control 1820 - Accounting of Disclosures

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

70792197-9bfc-4813-905a-bd33993e327f

Microsoft Managed Control 1509 - Position Categorization

Microsoft implements this Personnel Security control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (6.0.0 > 6.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

5b61f773-2042-46a8-b489-106d850d6d4e

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.0.0 > 5.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1814 - Privacy Awareness And Training

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

76f500cc-4bca-4583-bda1-6d084dc21086

Microsoft Managed Control 1508 - Position Categorization

Microsoft implements this Personnel Security control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

28e633fd-284e-4ea7-88b4-02ca157ed713

Microsoft Managed Control 1418 - Remote Maintenance | Comparable Security / Sanitization

Microsoft implements this Maintenance control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Key Vault

d2fc426a-4b67-464b-87c9-2134b8762ddf

Certificates using RSA cryptography should have the specified minimum key size

Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (2.0.1 > 2.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1817 - Privacy-Enhanced System Design And Development

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

a4eb2ba5-62b5-4524-83f0-7e05896edc76

Microsoft Managed Control 1824 - Data Quality

Microsoft implements this Data Quality and Integrity control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

fb3c7f40-4c97-4fdd-94c9-e7d99b4f6e42

Microsoft Managed Control 1750 - Mission/Business Process Definition

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

4c25cbd0-8776-412f-8466-5993e38ce602

Microsoft Managed Control 1838 - Minimization of PII Used in Testing, Training, And Research

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

API for FHIR

051cba44-2429-45b9-9649-46cec11c7119

Azure API for FHIR should use a customer-managed key to encrypt data at rest

Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.

Default
Audit
Allowed
audit, Audit, disabled, Disabled

change

Minor (1.0.1 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

App Service

95bccee9-a7f8-4bec-9ee9-62c3473701fc

App Service apps should have authentication enabled

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

0f935dab-83d6-47b8-85ef-68b8584161b9

Microsoft Managed Control 1574 - Acquisitions Process

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

51d53eb3-6c02-4f3f-a608-a058af96fa6a

Microsoft Managed Control 1831 - Minimization of Personally Identifiable Information

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

44e543aa-41db-42aa-98eb-8a5eb1db53f0

Microsoft Managed Control 1712 - Software & Information Integrity

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

395736bb-aa8b-45f0-b9cc-06af26b2b1d4

Microsoft Managed Control 1810 - Privacy Requirements for Contractors And Service Providers

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.1.2 > 6.2.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1306 - User Identification And Authentication | Network Access To Privileged Accounts - Replay...

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

81817e1c-5347-48dd-965a-40159d008229

Microsoft Managed Control 1308 - User Identification And Authentication | Remote Access - Separate Device

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

d7d66d05-bf34-4555-b5f2-8b749def4098

Microsoft Managed Control 1837 - Data Retention And Disposal | System Configuration

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Monitoring

5c5e54f6-0127-44d0-8b61-f31dc8dd6190

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1067 - Wireless Access Restrictions

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

5ec0d156-53ba-4f29-8c17-1525cde54129

Microsoft Managed Control 1844 - Consent

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

7522ed84-70d5-4181-afc0-21e50b1b6d0e

Microsoft Managed Control 1417 - Remote Maintenance | Comparable Security / Sanitization

Microsoft implements this Maintenance control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Machine Learning

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-04-01 20:29:14

BuiltIn

Kubernetes

952a545c-6dc5-4999-aeb6-51ed27dc7ea5

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.1 > 6.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1854 - Inventory of Personally Identifiable Information

Microsoft implements this Security control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Monitoring

cd6120c1-d069-416d-9753-fbe84bca4b01

[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs

Default
Modify
Allowed
Modify, Disabled

count: 003
•Managed Identity Contributor
•Managed Identity Operator
•Virtual Machine Contributor

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1808 - Privacy Impact And Risk Assessment

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

f3739612-c86c-4b2e-bbe6-0d0869aec19c

Microsoft Managed Control 1803 - Governance And Privacy Program

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

74520428-3aa8-449c-938d-93f51940759e

Microsoft Managed Control 1739 - Information System Inventory

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

3492d949-0dbb-4589-88b3-7b59601cc764

Microsoft Managed Control 1412 - Remote Maintenance

Microsoft implements this Maintenance control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

App Service

c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8

Function apps should have authentication enabled

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

38dfd8a3-5290-4099-88b7-4081f4c4d8ae

Microsoft Managed Control 1416 - Remote Maintenance | Document Remote Maintenance

Microsoft implements this Maintenance control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

4b0d8d1d-7800-4b62-b4bf-6eecde12b2af

Microsoft Managed Control 1813 - Privacy Awareness And Training

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

40fcc635-52a2-4dbc-9523-80a1f4aa1de6

Microsoft Managed Control 1438 - Media Sanitization And Disposal

Microsoft implements this Media Protection control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Monitoring

d550e854-df1a-4de9-bf44-cd894b39a95e

Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace

Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

fb845c34-808d-4c17-a0ce-85a530e9164b

Microsoft Managed Control 1857 - Privacy Incident Response

Microsoft implements this Security control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Stream Analytics

87ba29ef-1ab3-4d82-b763-87fcd4f531f7

Azure Stream Analytics jobs should use customer-managed keys to encrypt data

Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

45b7b644-5f91-498e-9d89-7402532d3645

Microsoft Managed Control 1578 - Acquisitions Process | Functions / Ports / Protocols / Services In Use

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

66632c7c-d0b3-4945-a8ae-e5c62cbea386

Microsoft Managed Control 1829 - Data Integrity And Data Integrity Board | Publish Agreements on Website

Microsoft implements this Data Quality and Integrity control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

6f29a2f0-ca59-4bdc-97a7-a8d593b60108

Microsoft Managed Control 1853 - Compliant Management | Response Times

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

cceea882-9d83-4ca6-b30e-6a7b381a8e6a

Microsoft Managed Control 1866 - Dissemination of Privacy Program Information

Microsoft implements this Transparency control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

1f01608c-5f35-492d-8763-8edf0080cc38

Microsoft Managed Control 1738 - Plan Of Action And Milestones Process

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

3cb4787b-2c91-4aca-bf5a-577e99411c8a

Disable Command Invoke on Azure Kubernetes Service clusters

Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1825 - Data Quality | Validate PII

Microsoft implements this Data Quality and Integrity control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

68f837d0-8942-4b1e-9b31-be78b247bda8

Microsoft Managed Control 1070 - Wireless Access Restrictions | Disable Wireless Networking

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

f475ee0e-f560-4c9b-876b-04a77460a404

Microsoft Managed Control 1706 - Security Alerts & Advisories

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

426f3a87-2d38-47e9-9687-c095441cd82c

Microsoft Managed Control 1732 - Information Security Program Plan

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

b6a8eae8-9854-495a-ac82-d2cd3eac02a6

Microsoft Managed Control 1568 - Acquisitions Process

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

cf1cad59-1012-4b55-9b80-427596ea1f4f

Microsoft Managed Control 1867 - Dissemination of Privacy Program Information

Microsoft implements this Transparency control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

2ef3cc79-733e-48ed-ab6f-7bf439e9b406

Microsoft Managed Control 1000 - Access Control Policy And Procedures Requirements

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

04f5fb00-80bb-48a9-a75b-4cb4d4c97c36

Microsoft Managed Control 1572 - Acquisitions Process

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

d4de5955-e00f-414d-9c16-f569c6a99c10

Microsoft Managed Control 1756 - Contacts With Security Groups And Associations

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

65c11daf-e754-406e-8d7b-f337dbd46a4f

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.0 > 6.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1800 - Authority to Collect

Microsoft implements this Authority and Purpose control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

d5f959a0-1808-4ebd-9a13-79237246f96f

Microsoft Managed Control 1861 - Privacy Notice | Real-Time or Layered Notice

Microsoft implements this Transparency control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

6b04f815-52d7-4ff6-94bf-a4f22c07d5ae

Microsoft Managed Control 1809 - Privacy Impact And Risk Assessment

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

131a2706-61e9-4916-a164-00e052056462

Microsoft Managed Control 1347 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Piv Credentials...

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Automanage

4f8e271b-dfea-47e9-b81e-5519bae0b120

Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1852 - Compliant Management

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Machine Learning

8a29d47b-8604-4667-84ef-90d203fcb305

[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1092 - Security Awareness | Insider Threat

Microsoft implements this Awareness and Training control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

76ba3061-b78b-48a5-aab8-43f5ae02898d

Microsoft Managed Control 1847 - Individual Access

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

8e903bb7-00e9-4255-a881-500742a2dbaa

Microsoft Managed Control 1843 - Consent

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Key Vault

855ced56-417b-4d74-9d5f-dd1bc81e22d6

Certificates should have the specified maximum validity period

Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1348 - Identification And Authentication (Non-Organizational Users) | Acceptance Of Third-Party...

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

0f559588-5e53-4b14-a7c4-85d28ebc2234

Microsoft Managed Control 1430 - Media Labeling

Microsoft implements this Media Protection control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

2d5600ed-575a-4723-9ff4-52d694be0a59

Microsoft Managed Control 1856 - Privacy Incident Response

Microsoft implements this Security control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

7a1e2c88-13de-4959-8ee7-47e3d74f1f48

Microsoft Managed Control 1708 - Security Functionality Verification

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

1189aa19-fbcf-4b3e-b9ec-76508e2fa17b

Microsoft Managed Control 1850 - Redress

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

58f477bf-287b-43ef-ab49-dffde92130a0

Microsoft Managed Control 1816 - Privacy Reporting

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

898d4fe8-f743-4333-86b7-0c9245d93e7d

Microsoft Managed Control 1411 - Remote Maintenance

Microsoft implements this Maintenance control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

d77fd943-6ba6-4a21-ba07-22b03e347cc4

Microsoft Managed Control 1350 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Issued Profiles

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

2e0ffcf5-c19e-4e04-ad0f-2db9b15ab126

Microsoft Managed Control 1751 - Insider Threat Program

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.0.1 > 7.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.0.1 > 7.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

2d44b6fa-1134-4ea6-ad4e-9edb68f65429

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.0.3 > 4.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1704 - Security Alerts & Advisories

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Key Vault

4e54c7ef-7457-430b-9a3e-ef8881d4a8e0

Certificates using elliptic curve cryptography should have allowed curve names

Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (2.0.1 > 2.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1579 - Acquisitions Process | Use Of Approved Piv Products

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

2e5cd188-7fa8-41fc-87ff-0ac7475ccb25

Microsoft Managed Control 1845 - Consent | Mechanisms Supporting Itemized or Tiered Consent

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

27a69937-af92-4198-9b86-08d355c7e59a

Microsoft Managed Control 1074 - Access Control for Portable And Mobile Systems

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Monitoring

0a2119c1-f068-4bfe-9f03-db94317e8db9

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.1.0 > 1.1.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1855 - Inventory of Personally Identifiable Information

Microsoft implements this Security control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

4c6df994-1810-44c9-bd35-3280397cf9a6

Microsoft Managed Control 1868 - Internal Use

Microsoft implements this Use Limitation control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

18573dd5-899f-453d-b069-fa77b61fe257

Microsoft Managed Control 1870 - Information Sharing with Third Parties

Microsoft implements this Use Limitation control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

f7161f06-5260-4f0f-aeae-4bbfb8612a10

Microsoft Managed Control 1812 - Privacy Monitoring And Auditing

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Key Vault

e17a106b-cf45-431e-89dc-da71e161c40c

Certificates should be issued by the specified non-integrated certificate authority

Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (2.0.1 > 2.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1801 - Purpose Specification

Microsoft implements this Authority and Purpose control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

71c6c2b1-78c8-4e84-9d05-9bd4db116cba

Microsoft Managed Control 1858 - Privacy Notice

Microsoft implements this Transparency control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08

Microsoft Managed Control 1301 - User Identification And Authentication | Network Access To Privileged Accounts

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

32d58eb6-4c76-4881-87ce-522b0e787bd0

Microsoft Managed Control 1735 - Information Security Resources

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

7c6de11b-5f51-4f7c-8d83-d2467c8a816e

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (7.0.4 > 7.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1143 - Certification, Authorization, Security Assessment Policy And Procedures

Microsoft implements this Security Assessment and Authorization control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Storage

38512b01-6a68-45d6-bb97-189a9a0fbe5e

Storage account public access should be disallowed

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor, suffix remains equal (3.0.1-preview > 3.1.0-preview)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1849 - Individual Access

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

4d1d4ce2-71ea-4578-bbb4-fe76215d45ac

Microsoft Managed Control 1811 - Privacy Requirements for Contractors And Service Providers

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Bot Service

6164527b-e1ee-4882-8673-572f425f5e0a

Bot Service endpoint should be a valid HTTPS URI

Data can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.1 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

4edd8330-da6b-4f1e-b996-e064d8b92cb7

Microsoft Managed Control 1833 - Minimization of Personally Identifiable Information | Locate/Remove/Redact/Anonymize PII

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Monitoring

6c53d030-cc64-46f0-906d-2bc061cd1334

Log Analytics workspaces should block log ingestion and querying from public networks

Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

01524fa8-4555-48ce-ba5f-c3b8dcef5147

Microsoft Managed Control 1142 - Certification, Authorization, Security Assessment Policy And Procedures

Microsoft implements this Security Assessment and Authorization control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

2bfea08c-2567-4f29-aad7-0f238ce655ea

Microsoft Managed Control 1758 - Threat Awareness Program

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

ad2f8e61-a564-4dfd-8eaa-816f5be8cb34

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.0.2 > 4.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1569 - Acquisitions Process

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

0c92e78e-4667-44f1-8b1d-bbc784b66950

Microsoft Managed Control 1755 - Contacts With Security Groups And Associations

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Monitoring

ea979184-f7c4-42be-86d2-584b95c34540

[Deprecated]: Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1869 - Information Sharing with Third Parties

Microsoft implements this Use Limitation control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

2ce63a52-e47b-4ae2-adbb-6e40d967f9e6

Microsoft Managed Control 1414 - Remote Maintenance

Microsoft implements this Maintenance control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

ef080e67-0d1a-4f76-a0c5-fb9b0358485e

Microsoft Managed Control 1089 - Security Awareness

Microsoft implements this Awareness and Training control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (6.0.0 > 6.1.0)

2022-04-01 20:29:14

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Kubernetes

d461dd50-c8fb-4ccb-93bf-61f53b44e54d

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.1 > 6.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1742 - Critical Infrastructure Plan

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

baff1279-05e0-4463-9a70-8ba5de4c7aa4

Microsoft Managed Control 1726 - Information Output Handling And Retention

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

3815d34a-187d-4f30-a9fa-5ac464e3465d

Microsoft Managed Control 1736 - Information Security Resources

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

d922484a-8cfc-4a6b-95a4-77d6a685407f

Microsoft Managed Control 1577 - Acquisitions Process | Continuous Monitoring Plan

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Azure Stack Edge

b4ac1030-89c5-4697-8e00-28b5ba6a8811

Azure Stack Edge devices should use double-encryption

To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

2fd50ffd-c983-4fab-862c-678b95bfaf5a

Microsoft Managed Control 1832 - Minimization of Personally Identifiable Information

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

c050047b-b21b-4822-8a2d-c1e37c3c0c6a

Configure Kubernetes clusters with specified GitOps configuration using SSH secrets

Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (1.0.1 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

aac17c36-2ac1-417f-ba74-6305f2ce6ad5

Microsoft Managed Control 1859 - Privacy Notice

Microsoft implements this Transparency control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

51f2fa3e-cd5f-4713-a9ce-177ee7a22d48

Microsoft Managed Control 1828 - Data Integrity And Data Integrity Board

Microsoft implements this Data Quality and Integrity control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

e4df5fb7-58e9-41de-9399-f043c7a931f8

Microsoft Managed Control 1740 - Information Security Measures Of Performance

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

7cb8a3d2-a208-4b6f-95e8-e8f0bb85a7a6

Microsoft Managed Control 1807 - Governance And Privacy Program

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

fd4a2ac8-868a-4702-a345-6c896c3361ce

Microsoft Managed Control 1707 - Security Alerts & Advisories | Automated Alerts And Advisories

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Key Vault

fc933d22-04df-48ed-8f87-22a3773d4309

Certificates should use allowed key types

Manage your organizational compliance requirements by restricting the key types allowed for certificates.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (2.0.1 > 2.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1075 - Access Control for Portable And Mobile Systems | Full Device / Container-Based Encryption

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

9834600a-668a-482c-9310-a89861b29e06

Microsoft Managed Control 1805 - Governance And Privacy Program

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

12a4a4dd-6c65-4900-9d7e-63fed5da791e

Microsoft Managed Control 1834 - Data Retention And Disposal

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

b2c2d6ed-bed8-419f-a8b7-59d736573acd

[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster

This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor, suffix remains equal (4.0.2-deprecated > 4.1.0-deprecated)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1863 - System of Records Notices And Privacy Act Statements

Microsoft implements this Transparency control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Monitoring

6fc8115b-2008-441f-8c61-9b722c1e537f

Workbooks should be saved to storage accounts that you control

With bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos

Default
Audit
Allowed
deny, Deny, audit, Audit, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

4152937a-1a44-401a-a179-04b44ea15f4c

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (4.0.0-preview > 4.1.0-preview)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1733 - Senior Information Security Officer

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

025992d6-7fee-4137-9bbf-2ffc39c0686c

Microsoft Managed Control 1709 - Security Functionality Verification

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c

Microsoft Managed Control 1073 - Access Control for Portable And Mobile Systems

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

9870806c-153f-4fa5-aafa-c5f5eeb72292

Microsoft Managed Control 1741 - Enterprise Architecture

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

59a7116d-19fd-49e9-a068-dec4460b97e5

Microsoft Managed Control 1731 - Information Security Program Plan

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

17641f70-94cd-4a5d-a613-3d1143e20e34

Microsoft Managed Control 1349 - Identification And Authentication (Non-Organizational Users) | Use Of Ficam-Approved Products

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.0.2 > 3.1.0)

2022-04-01 20:29:14

BuiltIn

Key Vault

Certificates should be issued by the specified integrated certificate authority

Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (2.0.1 > 2.1.0)

2022-04-01 20:29:14

BuiltIn

Machine Learning

fe1c9040-c46a-4e81-9aea-c7850fbb3aa6

[Preview]: Configure allowed registries for specified Azure Machine Learning computes

Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-04-01 20:29:14

BuiltIn

Healthcare APIs

CORS should not allow every domain to access your FHIR Service

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your FHIR Service. To protect your FHIR Service, remove access for all domains and explicitly define the domains allowed to connect.

Default
Audit
Allowed
audit, Audit, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Monitoring

fa298e57-9444-42ba-bf04-86e8470e32c7

Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption

Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

956b00aa-7977-4214-a0f5-e0428c1f9bff

Microsoft Managed Control 1806 - Governance And Privacy Program

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

1ca29e41-34ec-4e70-aba9-6248aca18c31

Microsoft Managed Control 1072 - Wireless Access Restrictions | Antennas / Transmission Power Levels

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

12718e41-af09-43b9-b6e4-7caae73b410b

Microsoft Managed Control 1754 - Testing, Training, And Monitoring

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

e12494fa-b81e-4080-af71-7dbacc2da0ec

Microsoft Managed Control 1714 - Software & Information Integrity | Automated Notifications Of Integrity Violations

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Bot Service

52152f42-0dda-40d9-976e-abb1acdd611e

Bot Service should have isolated mode enabled

Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

a7fcf38d-bb09-4600-be7d-825046eb162a

Microsoft Managed Control 1570 - Acquisitions Process

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Monitoring

d02e586f-d430-4053-b672-c14a788ad59f

Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication

Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1823 - Data Quality

Microsoft implements this Data Quality and Integrity control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

b083a535-a66a-41ec-ba7f-f9498bf67cde

Microsoft Managed Control 1711 - Security Functionality Verification

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

71280b2a-8c2f-4480-b933-686c0987cfbb

Microsoft Managed Control 1851 - Redress

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

f82e3639-fa2b-4e06-a786-932d8379b972

Microsoft Managed Control 1705 - Security Alerts & Advisories

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Backup

baf19753-7502-405f-8745-370519b20483

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (6.0.0 > 6.1.0)

2022-04-01 20:29:14

BuiltIn

Event Grid

Deploy - Configure Azure Event Grid topics to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Key Vault

09828c65-e323-422b-9774-9d5c646124da

Certificates should have the specified lifetime action triggers

Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (2.0.1 > 2.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1302 - User Identification And Authentication | Network Access To Non-Privileged Accounts

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Monitoring

1bc02227-0cb6-4e11-8f53-eb0b22eab7e8

Application Insights components should block log ingestion and querying from public networks

Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

b6747bf9-2b97-45b8-b162-3c8becb9937d

Microsoft Managed Control 1419 - Remote Maintenance | Cryptographic Protection

Microsoft implements this Maintenance control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41

Microsoft Managed Control 1575 - Acquisitions Process | Functional Properties Of Security Controls

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

20ea0798-d19e-4925-afd0-53d583815818

Microsoft Managed Control 1815 - Privacy Awareness And Training

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

4e26f8c3-4bf3-4191-b8fc-d888805101b7

Microsoft Managed Control 1001 - Access Control Policy And Procedures Requirements

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

3a02bf7a-8fb7-4c97-bd55-4a8592764cc8

Microsoft Managed Control 1840 - Minimization of PII Used in Testing, Training, And Research | Risk Minimization Techniques

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

3bd38f52-1833-42b2-b9aa-e1b9dcd0143b

Microsoft Managed Control 1747 - Security Authorization Process

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

d39620a4-95c6-4d4f-8aa4-83c0c6a2c640

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.0.2 > 3.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1818 - Accounting of Disclosures

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Cosmos DB

0473574d-2d43-4217-aefe-941fcdf7e684

Azure Cosmos DB allowed locations

This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

05a32666-d134-4842-a8cb-5c299f4bc099

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.0.2 > 3.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1728 - Incident Handling

Microsoft implements this Incident Response control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

88ae1753-f34c-47c3-96af-dccb4ac052eb

Microsoft Managed Control 1830 - Minimization of Personally Identifiable Information

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

61a1dd98-b259-4840-abd5-fbba7ee0da83

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.0.2 > 3.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1415 - Remote Maintenance

Microsoft implements this Maintenance control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Cosmos DB

0b7ef78e-a035-4f23-b9bd-aff122a1b1cf

Azure Cosmos DB throughput should be limited

This policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (5.0.0 > 5.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

8cb6d7ea-a6ae-4bc0-ae70-9fa3715e46bf

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (2.1.2 > 2.2.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1822 - Data Quality

Microsoft implements this Data Quality and Integrity control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

58c93053-7b98-4cf0-b99f-1beb985416c2

Microsoft Managed Control 1573 - Acquisitions Process

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Kubernetes

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (2.0.2 > 2.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

3044f5dc-93dd-4da0-b25d-bb6cedde3536

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (3.0.2-preview > 3.0.3-preview)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1862 - System of Records Notices And Privacy Act Statements

Microsoft implements this Transparency control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Bot Service

51522a96-0869-4791-82f3-981000c2c67f

Bot Service should be encrypted with a customer-managed key

Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

b07c9b24-729e-4e85-95fc-f224d2d08a80

Microsoft Managed Control 1429 - Media Labeling

Microsoft implements this Media Protection control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

9d9166a8-1722-4b8f-847c-2cf3f2618b3d

Microsoft Managed Control 1305 - User Identification And Authentication | Group Authentication

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

669ac708-82af-46f6-8bd6-75b48247489d

Microsoft Managed Control 1864 - System of Records Notices And Privacy Act Statements

Microsoft implements this Transparency control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

f355d62b-39a8-4ba3-abf7-90f71cb3b000

Microsoft Managed Control 1309 - User Identification And Authentication | Acceptance Of Piv Credentials

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

563f2ce4-2d95-44b6-b828-275a2f3cac47

Microsoft Managed Control 1848 - Individual Access

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

b92ae63b-4411-48ba-b5c9-5bcaef5f8d02

Microsoft Managed Control 1841 - Consent

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

af2a93c8-e6dd-4c94-acdd-4a2eedfc478e

Microsoft Managed Control 1710 - Security Functionality Verification

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

c055ec23-c9d1-4718-be96-433aa8108516

Microsoft Managed Control 1826 - Data Quality | Re-Validate PII

Microsoft implements this Data Quality and Integrity control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Key Vault

Certificates should not expire within the specified number of days

Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor, suffix remains equal (2.0.1-preview > 2.1.0-preview)

2022-04-01 20:29:14

BuiltIn

Machine Learning

[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes

Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2022-04-01 20:29:14

BuiltIn

Kubernetes

07458826-9325-4481-abaf-bc9ed043459d

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.0.1 > 4.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1744 - Risk Management Strategy

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Internet of Things

c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02

Deploy - Configure Azure IoT Hubs to use private DNS zones

Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

f751cdb7-fbee-406b-969b-815d367cb9b3

Microsoft Managed Control 1591 - External Information System Services | Identification Of Functions / Ports / Protocols...

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

881299bf-2a5b-4686-a1b2-321d33679953

Microsoft Managed Control 1440 - Media Sanitization And Disposal | Review / Approve / Track / Document / Verify

Microsoft implements this Media Protection control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

4f3b7f51-9620-4c71-b887-48a6838c68b8

Microsoft Managed Control 1748 - Security Authorization Process

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

1c0b3710-03dc-450a-a56a-77b85e744f0d

Microsoft Managed Control 1749 - Mission/Business Process Definition

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Backup

39f15e01-d964-41ee-88e3-eefbddc840cd

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (6.0.0 > 6.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1846 - Individual Access

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

791cfc15-6974-42a0-9f4c-2d4b82f4a78c

Microsoft Managed Control 1647 - Use of Cryptography

Microsoft implements this System and Communications Protection control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

API for FHIR

0fea8f8a-4169-495d-8307-30ec335f387d

CORS should not allow every domain to access your API for FHIR

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect.

Default
Audit
Allowed
audit, Audit, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

238cef2f-9f76-41fa-be5e-0899a7aad0d8

Microsoft Managed Control 1821 - Data Quality

Microsoft implements this Data Quality and Integrity control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

9db7917b-1607-4e7d-a689-bca978dd0633

[Deprecated]: Kubernetes cluster containers should only listen on allowed ports

Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. The policy is deprecating since container port is only informative field which cannot decide the port container is actually using. For more information, see https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor, suffix remains equal (6.1.3-deprecated > 6.2.0-deprecated)

2022-04-01 20:29:14

BuiltIn

Managed Application

Application definition for Managed Application should use customer provided storage account

Use your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

89f2d532-c53c-4f8f-9afa-4927b1114a0d

Azure Kubernetes Service Clusters should disable Command Invoke

Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef

Microsoft Managed Control 1717 - Software & Information Integrity | Binary Or Machine Executable Code

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

f5a44e7d-77a2-474e-b2e3-4e8c42ba514b

Microsoft Managed Control 1729 - Information Security Program Plan

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

5bef3414-50bc-4fc0-b3db-372bb8fe0796

Microsoft Managed Control 1836 - Data Retention And Disposal

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

1437bf9c-feef-4c82-a57a-22d1fcbcd247

Microsoft Managed Control 1872 - Information Sharing with Third Parties

Microsoft implements this Use Limitation control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

0b1aa965-7502-41f9-92be-3e2fe7cc392a

Microsoft Managed Control 1046 - Unsuccessful Logon Attempts | Purge / Wipe Mobile Device

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Cosmos DB

99efece4-6828-42a4-9577-ff06bc1c4bf4

Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest

Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.2 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1839 - Minimization of PII Used in Testing, Training, And Research

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

dd469ae0-71a8-4adc-aafc-de6949ca3339

Microsoft Managed Control 1715 - Software & Information Integrity | Automated Response To Integrity Violations

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

6c657baf-0693-455a-8bb2-7b4bdf79fd0e

Microsoft Managed Control 1757 - Contacts With Security Groups And Associations

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

2d045bca-a0fd-452e-9f41-4ec33769717c

Microsoft Managed Control 1068 - Wireless Access Restrictions

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

2234feec-08c6-4fc9-af78-df0dcc482efd

Microsoft Managed Control 1860 - Privacy Notice

Microsoft implements this Transparency control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

3a09e314-dca7-4a19-b3b4-14abd6305043

Microsoft Managed Control 1753 - Testing, Training, And Monitoring

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

aeedddb6-6bc0-42d5-809b-80048033419d

Microsoft Managed Control 1413 - Remote Maintenance

Microsoft implements this Maintenance control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

05f5163b-bd90-49eb-8b6e-c1044d0b170a

Microsoft Managed Control 1752 - Information Security Workforce

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

33cfabfd-49ce-432b-b988-aff483ca3897

Microsoft Managed Control 1871 - Information Sharing with Third Parties

Microsoft implements this Use Limitation control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

0dced7ab-9ce5-4137-93aa-14c13e06ab17

Microsoft Managed Control 1718 - Software & Information Integrity | Binary Or Machine Executable Code

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

86cd0591-5076-4447-aeff-2557def90353

Microsoft Managed Control 1827 - Data Integrity And Data Integrity Board

Microsoft implements this Data Quality and Integrity control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

d389df0a-e0d7-4607-833c-75a6fdac2c2d

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.0.2 > 4.1.0)

2022-04-01 20:29:14

BuiltIn

Event Grid

Deploy - Configure Azure Event Grid domains to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

5f18c885-ade3-48c5-80b1-8f9216019c18

Microsoft Managed Control 1576 - Acquisitions Process | Design / Implementation Information For Security Controls

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Kubernetes

a6f560f4-f582-4b67-b123-a37dcd1bf7ea

Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets

Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (1.0.1 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

6bfe6405-805c-4c9b-a9d3-f209237bb95d

Microsoft Managed Control 1802 - Governance And Privacy Program

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

2fb740e5-cbc7-4d10-8686-d1bf826652b1

Microsoft Managed Control 1090 - Security Awareness

Microsoft implements this Awareness and Training control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Kubernetes

1d61c4d2-aef2-432b-87fc-7f96b019b7e1

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.0.2 > 3.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

Configure Kubernetes clusters with specified GitOps configuration using no secrets

Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

79da5b09-0e7e-499e-adda-141b069c7998

Microsoft Managed Control 1510 - Position Categorization

Microsoft implements this Personnel Security control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

c6c43097-8552-4279-8b38-7dcabff781d3

Microsoft Managed Control 1819 - Accounting of Disclosures

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

dce72873-c5f1-47c3-9b4f-6b8207fd5a45

Microsoft Managed Control 1439 - Media Sanitization And Disposal

Microsoft implements this Media Protection control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.0.2 > 4.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.0.3 > 4.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

2ab0c8e3-b8ef-48e9-b6ac-a0c5e713a757

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.0.2 > 4.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1746 - Security Authorization Process

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

5fd9ced5-18e8-4c09-91b7-3725680f8ade

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.1.0 > 3.2.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1734 - Information Security Resources

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

66a56404-7b65-4e33-b371-28d069172dd4

Microsoft Managed Control 1743 - Risk Management Strategy

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

b11c985b-f2cd-4bd7-85f4-b52426edf905

Microsoft Managed Control 1571 - Acquisitions Process

Microsoft implements this System and Services Acquisition control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Monitoring

0d87c70b-5012-48e9-994b-e70dd4b8def0

Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1713 - Software & Information Integrity | Integrity Checks

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Machine Learning

0afb38a3-5e1c-4339-9ab4-df6a3dfc7da2

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1804 - Governance And Privacy Program

Microsoft implements this Accountability, Audit, and Risk Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

804faf7d-b687-40f7-9f74-79e28adf4205

Microsoft Managed Control 1703 - Security Alerts & Advisories

Microsoft implements this System and Information Integrity control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

3bd6a378-4173-411d-a958-dc699b0ee2fd

Microsoft Managed Control 1737 - Plan Of Action And Milestones Process

Microsoft implements this Program Management control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

56a838e0-0a5d-49a8-ab74-bf6be81b32f5

Microsoft Managed Control 1835 - Data Retention And Disposal

Microsoft implements this Data Minimization and Retention control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Kubernetes

4f26049b-2c5a-4841-9ff3-d48a26aae475

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.1 > 6.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1442 - Media Sanitization And Disposal | Nondestructive Techniques

Microsoft implements this Media Protection control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

1a437f5b-9ad6-4f28-8861-de404d511ae4

Microsoft Managed Control 1071 - Wireless Access Restrictions | Restrict Configurations By Users

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

80ca0a27-918a-4604-af9e-723a27ee51e8

Microsoft Managed Control 1303 - User Identification And Authentication | Local Access To Privileged Accounts

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

d78966ce-05c7-4967-829d-9a414ea2bc92

Microsoft Managed Control 1842 - Consent

Microsoft implements this Individual Participation and Redress control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Monitoring

1f68a601-6e6d-4e42-babf-3f643a047ea2

Azure Monitor Logs clusters should be encrypted with customer-managed key

Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-04-01 20:29:14

BuiltIn

Kubernetes

c3e4fa5d-c0c4-46c4-9a13-bb9b9f0b003f

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (4.0.3 > 4.1.0)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1865 - System of Records Notices And Privacy Act Statements | Public Website Publication

Microsoft implements this Transparency control

Fixed
audit

add

new Policy

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

91c97b44-791e-46e9-bad7-ab7c4949edbb

Microsoft Managed Control 1069 - Wireless Access Restrictions | Authentication And Encryption

Microsoft implements this Access Control control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Machine Learning

99deec7d-5526-472e-b07c-3645a792026a

[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2022-04-01 20:29:14

BuiltIn

Regulatory Compliance

Microsoft Managed Control 1300 - User Identification And Authentication

Microsoft implements this Identification and Authentication control

Fixed
audit

change

Patch (1.0.0 > 1.0.1)

2022-04-01 20:29:14

BuiltIn

Monitoring

dfc212af-17ea-423a-9dcb-91e2cb2caa6b

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.1 > 2.1.1)

2022-03-25 18:52:24

BuiltIn

CDN

Azure Front Door profiles should use Premium tier that supports managed WAF rules and private link

Azure Front Door Premium supports Azure managed WAF rules and private link to supported Azure origins.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-03-25 18:52:24

BuiltIn

Kubernetes

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (3.0.1-preview > 3.0.2-preview)

2022-03-25 18:52:24

BuiltIn

Guest Configuration

Audit Linux machines that have accounts without passwords

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-03-25 18:52:24

BuiltIn

Guest Configuration

679da822-78a7-4eff-8fff-a899454a9970

Audit Linux machines that allow remote connections from accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-03-25 18:52:24

BuiltIn

CDN

Azure Front Door Standard and Premium should be running minimum TLS version of 1.2

Setting minimal TLS version to 1.2 improves security by ensuring your custom domains are accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they are weak and do not support modern cryptographic algorithms.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-03-25 18:52:24

BuiltIn

Monitoring

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.1 > 2.1.1)

2022-03-25 18:52:24

BuiltIn

Monitoring

daba2cce-8326-4af3-b049-81a362da024d

Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-03-25 18:52:24

BuiltIn

CDN

Secure private connectivity between Azure Front Door Premium and Azure Storage Blob, or Azure App Service

Private link ensures private connectivity between AFD Premium and Azure Storage Blob or Azure App Service over the Azure backbone network, without the Azure Storage Blob or the Azure App Service being publicly exposed to the internet.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-03-25 18:52:24

BuiltIn

Guest Configuration

Audit Linux machines that do not have the passwd file permissions set to 0644

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-03-25 18:52:24

BuiltIn

Monitoring

Deploy - Configure Dependency agent to be enabled on Windows virtual machines

Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-03-25 18:52:24

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets

Fixed
deployIfNotExists

change

Major (1.3.0 > 2.0.0)

2022-03-18 17:53:47

BuiltIn

Guest Configuration

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities

Fixed
modify

change

Major (3.0.0 > 4.0.0)

2022-03-18 17:53:47

BuiltIn

Monitoring

Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2022-03-18 17:53:47

BuiltIn

Guest Configuration

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

Fixed
modify

change

Major (3.0.0 > 4.0.0)

2022-03-18 17:53:47

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machines

Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed.

Fixed
deployIfNotExists

change

Major (1.3.0 > 2.0.0)

2022-03-18 17:53:47

BuiltIn

Monitoring

Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2022-03-18 17:53:47

BuiltIn

Monitoring

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.1 > 2.1.0)

2022-03-18 17:53:47

BuiltIn

Guest Configuration

450d2877-ebea-41e8-b00c-e286317d21bf

Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs

Fixed
deployIfNotExists

change

Major (2.0.0 > 3.0.0)

2022-03-18 17:53:47

BuiltIn

Kubernetes

Azure Kubernetes Service Clusters should enable Microsoft Entra ID integration

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-03-18 17:53:47

BuiltIn

Azure Update Manager

06695360-db88-47f6-b976-7500d4297475

Schedule recurring updates using Azure Update Manager

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-03-18 17:53:47

BuiltIn

Storage

Configure Azure File Sync to use private DNS zones

To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2022-03-18 17:53:47

BuiltIn

Kubernetes

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.1-preview)

2022-03-18 17:53:47

BuiltIn

Monitoring

Linux Arc-enabled machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-03-11 18:16:48

BuiltIn

Kubernetes

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)

2022-03-11 18:16:48

BuiltIn

Monitoring

8015d6ed-3641-4534-8d0b-5c67b67ff7de

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-03-11 18:16:48

BuiltIn

Backup

[Preview]: Configure Recovery Services vaults to use private endpoints for backup

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Recovery Services vaults, you can reduce data leakage risks. Note that your vaults need to meet certain pre-requisites to be eligible for private endpoint configuration. Learn more at : https://go.microsoft.com/fwlink/?linkid=2187162.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-03-11 18:16:48

BuiltIn

Monitoring

Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-03-11 18:16:48

BuiltIn

Kubernetes

Kubernetes resources should have required annotations

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-03-11 18:16:48

BuiltIn

Monitoring

Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-03-11 18:16:48

BuiltIn

SQL

82bf5b87-728b-4a74-ba4d-6123845cf542

Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace

Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-03-11 18:16:48

BuiltIn

Security Center

Configure Microsoft Defender for Azure Cosmos DB to be enabled

Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-03-11 18:16:48

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.2 > 5.0.0)

2022-03-11 18:16:48

BuiltIn

Monitoring

Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-03-11 18:16:48

BuiltIn

Kubernetes

[Deprecated]: Kubernetes clusters should gate deployment of vulnerable images

This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.2-preview > 1.0.3-preview)

2022-03-11 18:16:48

BuiltIn

Monitoring

Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-03-11 18:16:48

BuiltIn

Monitoring

Configure Linux Arc-enabled machines to run Azure Monitor Agent

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-03-11 18:16:48

BuiltIn

Monitoring

25da7dfb-0666-4a15-a8f5-402127efd8bb

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-03-11 18:16:48

BuiltIn

SQL

Configure SQL servers to have auditing enabled to Log Analytics workspace

To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-03-11 18:16:48

BuiltIn

Kubernetes

Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access

Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Major (1.0.0 > 2.0.0)

2022-03-11 18:16:48

BuiltIn

Monitoring

Configure Windows Arc-enabled machines to run Azure Monitor Agent

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-03-11 18:16:48

BuiltIn

Kubernetes

Azure Kubernetes Service clusters should have Defender profile enabled

Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks

Default
Audit
Allowed
Audit, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2022-03-11 18:16:48

BuiltIn

Monitoring

32ba8d30-07c0-4136-ab18-9a11bf4a67b7

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (3.0.0 > 3.0.1)

2022-03-11 18:16:48

BuiltIn

Synapse

Configure Synapse workspaces to have auditing enabled to Log Analytics workspace

To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-03-11 18:16:48

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.2 > 6.0.0)

2022-03-11 18:16:48

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.2 > 5.0.0)

2022-03-11 18:16:48

BuiltIn

Monitoring

32e6bbec-16b6-44c2-be37-c5b672d103cf

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-03-11 18:16:48

BuiltIn

SQL

Azure SQL Database should be running TLS version 1.2 or newer

Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (1.0.1 > 2.0.0)

2022-03-11 18:16:48

BuiltIn

Security Center

adbe85b5-83e6-4350-ab58-bf3a4f736e5e

Microsoft Defender for Azure Cosmos DB should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-03-11 18:16:48

BuiltIn

Monitoring

08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd

Windows Arc-enabled machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-03-11 18:16:48

BuiltIn

Guest Configuration

Audit Windows machines on which the DSC configuration is not compliant

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant.

Fixed
auditIfNotExists

change

Major (2.0.0 > 3.0.0)

2022-02-18 17:44:00

BuiltIn

Monitoring

Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Automanage

1ec9c2c2-6d64-656d-6465-3ec3309b8579

Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-02-18 17:44:00

BuiltIn

Security Center

[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines

Deploys Microsoft Defender for Endpoint on applicable Windows VM images.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Guest Configuration

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities

Fixed
modify

change

Major (2.0.0 > 3.0.0)

2022-02-18 17:44:00

BuiltIn

Guest Configuration

Audit Windows machines that do not have the specified Windows PowerShell execution policy

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-02-18 17:44:00

BuiltIn

Security Center

e6ebf138-3d71-4935-a13b-9c7fdddd94df

[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines

Deploys Microsoft Defender for Endpoint agent on applicable Linux VM images.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Guest Configuration

Audit Windows machines on which the specified services are not installed and 'Running'

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter.

Fixed
auditIfNotExists

change

Major (2.0.0 > 3.0.0)

2022-02-18 17:44:00

BuiltIn

Monitoring

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-02-18 17:44:00

BuiltIn

SQL

7c322315-e26d-4174-a99e-f49d351b4688

[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2022-02-18 17:44:00

BuiltIn

Storage

Table Storage should use customer-managed key for encryption

Secure your table storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Security Center

4eb909e7-6d64-656d-6465-2eeb297a1625

[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines

Deploys Microsoft Defender for Endpoint agent on Linux hybrid machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Monitoring

934345e1-4dfb-4c70-90d7-41990dc9608b

Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Guest Configuration

Audit Windows machines that do not contain the specified certificates in Trusted Root

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter.

Fixed
auditIfNotExists

change

Major (2.0.0 > 3.0.0)

2022-02-18 17:44:00

BuiltIn

Guest Configuration

f0e5abd0-2554-4736-b7c0-4ffef23475ef

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

Fixed
modify

change

Major (2.0.0 > 3.0.0)

2022-02-18 17:44:00

BuiltIn

Storage

Queue Storage should use customer-managed key for encryption

Secure your queue storage with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Guest Configuration

58c460e9-7573-4bb2-9676-339c2f2486bb

Audit Windows machines on which Windows Serial Console is not enabled

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters.

Fixed
auditIfNotExists

change

Major (2.0.0 > 3.0.0)

2022-02-18 17:44:00

BuiltIn

Monitoring

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2022-02-18 17:44:00

BuiltIn

SQL

c633f6a2-7f8b-4d9e-9456-02f0f04f5505

Public network access should be disabled for PostgreSQL flexible servers

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-02-18 17:44:00

BuiltIn

Guest Configuration

Audit Windows machines that are not set to the specified time zone

Fixed
auditIfNotExists

change

Major (2.0.0 > 3.0.0)

2022-02-18 17:44:00

BuiltIn

Security Center

cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349

[Deprecated]: Sensitive data in your SQL databases should be classified

Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, suffix changed: new suffix: deprecated; old suffix: preview (3.0.0-preview > 3.0.0-deprecated)

2022-02-18 17:44:00

BuiltIn

Monitoring

Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Monitoring

Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Monitoring

Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Kubernetes

fe8684d6-3c5b-45c0-a08b-fa92653c2e1c

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Major (3.0.0 > 4.0.0)

2022-02-18 17:44:00

BuiltIn

Stream Analytics

Stream Analytics job should connect to trusted inputs and outputs

Ensure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allow-list. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization.

Default
Audit
Allowed
Deny, Disabled, Audit

change

Minor (1.0.0 > 1.1.0)

2022-02-18 17:44:00

BuiltIn

Security Center

37c043a6-6d64-656d-6465-b362dfeb354a

[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines

Deploys Microsoft Defender for Endpoint on Windows Azure Arc machines.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

Kubernetes

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (3.0.2 > 3.1.0)

2022-02-18 17:44:00

BuiltIn

Machine Learning

Azure Machine Learning Workspaces should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.2.0)

2022-02-18 17:44:00

BuiltIn

Monitoring

Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-18 17:44:00

BuiltIn

SQL

dc921057-6b28-4fbe-9b83-f7bec05db6c2

Public network access should be disabled for MySQL flexible servers

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-02-18 17:44:00

BuiltIn

Container Registry

Container registries should have local admin account disabled.

Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-02-11 18:30:22

BuiltIn

App Service

2d048aca-6479-4923-88f5-e2ac295d9af3

App Service Environment apps should not be reachable over public internet

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-02-11 18:30:22

BuiltIn

Container Registry

cced2946-b08a-44fe-9fd9-e4ed8a779897

Configure container registries to disable anonymous authentication.

Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Storage

16f4af95-96b1-4220-805a-367ca59cd72e

Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data integrity or data privacy

Ensure that at least either Kerberos integrity (krb5i) or Kerberos privacy (krb5p) is selected to ensure data integrity and data privacy.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Backup

9f2dea28-e834-476c-99c5-3507b4728395

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (5.0.0 > 6.0.0)

2022-02-11 18:30:22

BuiltIn

Container Registry

Container registries should have anonymous authentication disabled.

Disable anonymous pull for your registry so that data is not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (5.0.0 > 6.0.0)

2022-02-11 18:30:22

BuiltIn

Security Center

ddcf4b94-9dfa-4a80-aca6-22bb654fde72

[Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Storage

Azure NetApp Files SMB Volumes should use SMB3 encryption

Disallow the creation of SMB Volumes without SMB3 encryption to ensure data integrity and data privacy.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Security Center

[Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the user-defined data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Security Center

ff05e24e-195c-447e-b322-5e90c9f9f366

[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (5.0.0-preview > 5.0.1-preview)

2022-02-11 18:30:22

BuiltIn

Container Registry

Container registries should have repository scoped access token disabled.

Disable repository scoped access tokens for your registry so that repositories are not accessible by tokens. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (5.0.0 > 6.0.0)

2022-02-11 18:30:22

BuiltIn

Security Center

[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Backup

d558e1a6-296d-4fbb-81a5-ea25822639f6

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (5.0.0 > 6.0.0)

2022-02-11 18:30:22

BuiltIn

Storage

Azure NetApp Files Volumes should not use NFSv3 protocol type

Disallow the use of NFSv3 protocol type to prevent unsecure access to volumes. NFSv4.1 with Kerberos protocol should be used to access NFS volumes to ensure data integrity and encryption.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Storage

7c6c7139-7d8e-45d0-9d94-72386a61308b

Azure NetApp Files Volumes of type NFSv4.1 should use Kerberos data encryption

Only allow the use of Kerberos privacy (5p) security mode to ensure data is encrypted.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Security Center

a9b426fe-8856-4945-8600-18c5dd1cca2a

[Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure Arc machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Container Registry

Configure container registries to disable repository scoped access token.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2022-02-11 18:30:22

BuiltIn

Container Registry

79fdfe03-ffcb-4e55-b4d0-b925b8241759

Configure container registries to disable local admin account.

Default
Modify
Allowed
Modify, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-02-11 18:30:22

BuiltIn

Kubernetes

6d02d2f7-e38b-4bdc-96f3-adc0a8726abc

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2022-02-04 18:25:37

BuiltIn

Automanage

Hotpatch should be enabled for Windows Server Azure Edition VMs

Minimize reboots and install updates quickly with hotpatch. Learn more at https://docs.microsoft.com/azure/automanage/automanage-hotpatch

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-02-04 18:25:37

BuiltIn

SQL

Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace

Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-02-04 18:25:37

BuiltIn

Security Center

[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2022-02-04 18:25:37

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.1 > 3.0.0)

2022-02-04 18:25:37

BuiltIn

Security Center

a9934fd7-29f2-4e6d-ab3d-607ea38e9079

[Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-04 18:25:37

BuiltIn

SQL

SQL Managed Instances should avoid using GRS backup redundancy

Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL.

Default
Deny
Allowed
Deny, Disabled

change

Major (1.0.1 > 2.0.0)

2022-02-04 18:25:37

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-02-04 18:25:37

BuiltIn

Monitoring

Windows virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-02-04 18:25:37

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-02-04 18:25:37

BuiltIn

Monitoring

Windows virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-02-04 18:25:37

BuiltIn

Security Center

[Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-02-04 18:25:37

BuiltIn

Kubernetes

Ensure cluster containers have readiness or liveness probes configured

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-02-04 18:25:37

BuiltIn

Security Center

Configure machines to receive a vulnerability assessment provider

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.2.0-preview > 3.0.0-preview)

2022-02-04 18:25:37

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords

This policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs

Fixed
deployIfNotExists

change

Major (1.2.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

App Service

1221c620-d201-468c-81e7-2817e6107e84

App Service apps should have resource logs enabled

Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Options - Network Security'

Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

35781875-8026-4628-b19b-f6efb4d88a1d

Windows machines should meet requirements for 'System Audit Policies - Object Access'

Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

c5b85cba-6e6f-4de4-95e1-f0233cd712ac

Audit Windows machines that do not have the specified Windows PowerShell execution policy

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Audit Windows machines that have the specified applications installed

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

4d1c04de-2172-403f-901b-90608c35c721

[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed

This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

fee5cb2b-9d9b-410e-afe3-2902d90d0004

[Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f

Audit Windows machines that have the specified members in the Administrators group

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

237b38db-ca4d-4259-9e47-7882441ca2c0

Audit Windows machines that do not have the minimum password age set to specified number of days

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

d472d2c9-d6a3-4500-9f5f-b15f123005aa

Linux machines should only have local accounts that are allowed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Options - Interactive Logon'

Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

84662df4-0e37-44a6-9ce1-c9d2150db18c

[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644

This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Audit Windows machines that are not joined to the specified domain

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

e068b215-0026-4354-b347-8fb2766f73a2

Windows machines should meet requirements for 'User Rights Assignment'

Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

4221adbc-5c0f-474f-88b7-037a99e6114c

Audit Windows VMs with a pending reboot

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

3e4e2bd5-15a2-4628-b3e1-58977e9793f3

Audit Windows machines that do not have the specified Windows PowerShell modules installed

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

8537fe96-8cbe-43de-b0ef-131bc72bc22a

Windows machines should meet requirements for 'Windows Components'

Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

e6ebf138-3d71-4935-a13b-9c7fdddd94df

Audit Windows machines on which the specified services are not installed and 'Running'

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

35d9882c-993d-44e6-87d2-db66ce21b636

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

Fixed
modify

change

Major (1.1.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Windows Firewall Properties'

Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

630ac30f-a234-4533-ac2d-e0df77acda51

Audit Windows machines network connectivity

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

3d2a3320-2a72-4c67-ac5f-caa40fbee2b2

Audit Windows machines that have extra accounts in the Administrators group

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

968410dc-5ca0-4518-8a5b-7b55f0530ea9

Windows machines should meet requirements for 'Administrative Templates - System'

Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

c633f6a2-7f8b-4d9e-9456-02f0f04f5505

Audit Windows machines that are not set to the specified time zone

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Audit Linux machines that do not have the passwd file permissions set to 0644

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.2.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

58c460e9-7573-4bb2-9676-339c2f2486bb

Windows machines should be configured to use secure communication protocols

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Audit Windows machines on which Windows Serial Console is not enabled

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.

This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol.

Fixed
deployIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

3aa2661b-02d7-4ba6-99bc-dc36b10489fd

Windows machines should meet requirements of the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Administrative Templates - Control Panel'

Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

f79fef0d-0050-4c18-a303-5babb9c14ac7

[Deprecated]: Show audit results from Linux VMs that have accounts without passwords

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Windows machines should only have local accounts that are allowed

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

1417908b-4bff-46ee-a2a6-4acc899320ab

Audit Windows machines that contain certificates expiring within the specified number of days

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Audit Linux machines that allow remote connections from accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.2.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

beb6ccee-b6b8-4e91-9801-a5fa4260a104

[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Audit Windows machines that have not restarted within the specified number of days

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

5b054a0d-39e2-4d53-bea3-9734cad2c69b

Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

87845465-c458-45f3-af66-dcd62176f397

Windows machines should meet requirements for 'System Audit Policies - Privilege Use'

Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

4078e558-bda6-41fb-9b3c-361e8875200d

Audit Linux machines that have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.2.0 > 4.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

[Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc

Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

2a7a701e-dff3-4da9-9ec5-42cb98594c0b

Windows machines should meet requirements for 'System Audit Policies - Policy Change'

Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

43bb60fe-1d7e-4b82-9e93-496bfc99e7d5

[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'System Audit Policies - Account Logon'

Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

5b842acb-0fe7-41b0-9f40-880ec4ad84d8

[Deprecated]: Show audit results from Linux VMs that have the specified applications installed

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

67e010c1-640d-438e-a3a5-feaccb533a98

Windows machines should meet requirements for 'Administrative Templates - Network'

Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

e0a7e899-2ce2-4253-8a13-d808fdeb75af

Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'

Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

8316fa92-d69c-4810-8124-62414f560dcf

Linux machines should meet requirements for the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.3.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'System Audit Policies - System'

Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd

Windows machines should meet requirements for 'Security Options - Network Access'

Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

ee984370-154a-4ee8-9726-19d900e56fc0

Windows machines should meet requirements for 'Security Options - Accounts'

Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

884b209a-963b-4520-8006-d20cb3c213e0

Windows Defender Exploit Guard should be enabled on your machines

Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.1.1 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed

This policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

94d9aca8-3757-46df-aa51-f218c5f11954

Windows machines should meet requirements for 'System Audit Policies - Account Management'

Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Kubernetes

d6c69680-54f0-4349-af10-94dd05f4225e

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.2 > 4.0.3)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Options - Microsoft Network Client'

Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7

Audit Windows machines missing any of specified members in the Administrators group

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

934345e1-4dfb-4c70-90d7-41990dc9608b

Audit Windows machines that do not contain the specified certificates in Trusted Root

Fixed
auditIfNotExists

change

Major (1.0.1 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

ebb67efd-3c46-49b0-adfe-5599eb944998

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities

Fixed
modify

change

Major (1.1.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Audit Windows machines that don't have the specified applications installed

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd

Audit Windows machines on which the DSC configuration is not compliant

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

a2d0e922-65d0-40c4-8f87-ea6da2d307a2

Audit Windows machines that do not restrict the minimum password length to specified number of characters

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

594c1276-f44f-482d-9910-71fac2ce5ae0

Audit Linux machines that don't have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.1.0 > 4.0.0)

2022-01-28 17:51:01

BuiltIn

Monitoring

[Deprecated]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

492a29ed-d143-4f03-b6a4-705ce081b463

Windows machines should meet requirements for 'Security Options - User Account Control'

Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

caf2d518-f029-4f6b-833b-d7081702f253

Windows machines should meet requirements for 'Security Options - Microsoft Network Server'

Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

4ceb8dc2-559c-478b-a15b-733fbf1e3738

Audit Windows machines that do not have the maximum password age set to specified number of days

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Audit Linux machines that have accounts without passwords

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.2.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

33936777-f2ac-45aa-82ec-07958ec9ade4

[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords

This policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

Major, suffix remains equal (3.1.0-deprecated > 4.0.0-deprecated)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Options - Audit'

Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

12017595-5a75-4bb1-9d97-4c2c939ea3c3

Windows machines should meet requirements for 'Security Options - System settings'

Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

8794ff4f-1a35-4e18-938f-0b22055067cd

Windows machines should meet requirements for 'Security Options - Devices'

Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

6265018c-d7e2-432f-a75d-094d5f6f4465

Audit Windows machines on which the Log Analytics agent is not connected as expected

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter.

Fixed
auditIfNotExists

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

bf16e0bb-31e1-4646-8202-60a235cc7e74

Audit Windows machines that do not have the password complexity setting enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

b4a4d1eb-0263-441b-84cb-a44073d8372d

Windows machines should meet requirements for 'Security Options - Shutdown'

Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

58383b73-94a9-4414-b382-4146eb02611b

Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'

Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

f71be03e-e25b-4d0f-b8bc-9b3e309b66c0

Windows machines should meet requirements for 'Security Options - Recovery console'

Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

f2143251-70de-4e81-87a8-36cee5a2f29d

Windows machines should meet requirements for 'Security Settings - Account Policies'

Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

19be9779-c776-4dfa-8a15-a2fd5dc843d6

Authentication to Linux machines should require SSH keys

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.2.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'

Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

2f262ace-812a-4fd0-b731-b38ba9e9708d

Windows machines should meet requirements for 'Security Options - System objects'

Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2022-01-28 17:51:01

BuiltIn

Guest Configuration

da0f98fe-a24b-4ad5-af69-bd0400233661

Audit Windows machines that do not store passwords using reversible encryption

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-28 17:51:01

BuiltIn

Automanage

10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9

Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2022-01-21 21:53:22

BuiltIn

General

[Deprecated]: Custom subscription owner roles should not exist

This policy is deprecated.

Default
Audit
Allowed
Audit, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2022-01-21 21:53:22

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.2 > 4.0.3)

2022-01-21 21:53:22

BuiltIn

App Service

App Service apps that use PHP should use a specified 'PHP version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.1.0 > 2.2.0)

2022-01-21 21:53:22

BuiltIn

Automanage

[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: version (4.1.0 > 4.1.0-version-deprecated)

2022-01-21 21:53:22

BuiltIn

App Service

08a6b96f-576e-47a2-8511-119a212d344d

App Service apps should use a SKU that supports private link

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-21 21:53:22

BuiltIn

Azure Edge Hardware Center

Azure Edge Hardware Center devices should have double encryption support enabled

Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-14 17:44:09

BuiltIn

Machine Learning

[Preview]: Configure allowed registries for specified Azure Machine Learning computes

Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2022-01-14 17:44:09

BuiltIn

Machine Learning

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (3.1.0-preview > 4.0.0-preview)

2022-01-14 17:44:09

BuiltIn

Machine Learning

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2022-01-14 17:44:09

BuiltIn

Security Center

bc1b984e-ddae-40cc-801a-050a030e4fbe

[Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys)

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-01-07 18:14:35

BuiltIn

Storage

Storage accounts should have shared access signature (SAS) policies configured

Ensure storage accounts have shared access signature (SAS) expiration policy enabled. Users use a SAS to delegate access to resources in Azure Storage account. And SAS expiration policy recommend upper expiration limit when a user creates a SAS token.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2022-01-07 18:14:35

BuiltIn

SQL

0a370ff3-6cab-4e85-8995-295fd854c5b8

SQL servers should use customer-managed keys to encrypt data at rest

Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (2.0.0 > 2.0.1)

2022-01-07 18:14:35

BuiltIn

Backup

958dbd4e-0e20-4385-a082-d3f20c2a6ad8

[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region

Enforce backup for blobs on all storage accounts that do not contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-01-07 18:14:35

BuiltIn

Bot Service

52152f42-0dda-40d9-976e-abb1acdd611e

Bot Service should have isolated mode enabled

Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-07 18:14:35

BuiltIn

Internet of Things

27d4c5ec-8820-443f-91fe-1215e96f64b2

Azure Device Update for IoT Hub accounts should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Device Update for IoT Hub accounts, data leakage risks are reduced.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2022-01-07 18:14:35

BuiltIn

Monitoring

2f2ee1de-44aa-4762-b6bd-0893fc3f306d

[Preview]: Network traffic data collection agent should be installed on Windows virtual machines

Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2022-01-07 18:14:35

BuiltIn

Security Center

615b01c4-d565-4f6f-8c6e-d130268e3a1a

Guest Configuration extension should be installed on your machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2022-01-07 18:14:35

BuiltIn

Backup

[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region

Enforce backup for blobs on all storage accounts that contain a given tag to a central backup vault. Doing this can help you manage backup of blobs contained across multiple storage accounts at scale. For more details, refer to https://aka.ms/AB-BlobBackupAzPolicies

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2022-01-07 18:14:35

BuiltIn

App Service

b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0

[Deprecated]: Diagnostic logs in App Services should be enabled

Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2022-01-07 18:14:35

BuiltIn

Monitoring

04c4380f-3fae-46e8-96c9-30193528f602

[Preview]: Network traffic data collection agent should be installed on Linux virtual machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2022-01-07 18:14:35

BuiltIn

Monitoring

8e3e61b3-0b32-22d5-4edf-55f87fdb5955

Configure Log Analytics workspace and automation account to centralize logs and monitoring

Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2022-01-07 18:14:35

BuiltIn

Monitoring

7f89b1eb-583c-429a-8828-af049802c1d9

Audit diagnostic setting for selected resource types

Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.

Fixed
AuditIfNotExists

change

Minor (1.0.0 > 1.1.0)

2022-01-07 18:14:35

BuiltIn

Monitoring

bacd7fca-1938-443d-aad6-a786107b1bfb

[Deprecated]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-01-07 18:14:35

BuiltIn

Monitoring

594c1276-f44f-482d-9910-71fac2ce5ae0

[Deprecated]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2022-01-07 18:14:35

BuiltIn

Kubernetes

[Deprecated]: Kubernetes cluster containers should only listen on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, new suffix: deprecated (6.1.2 > 6.1.3-deprecated)

2022-01-07 18:14:35

BuiltIn

Security Center

9259053b-ddb8-40ab-842a-0aef19d0ade4

[Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys)

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2022-01-07 18:14:35

BuiltIn

Azure Purview

Azure Purview accounts should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Purview accounts instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/purview-private-link.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2022-01-07 18:14:35

BuiltIn

Kubernetes

c050047b-b21b-4822-8a2d-c1e37c3c0c6a

Configure Kubernetes clusters with specified GitOps configuration using SSH secrets

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-12-10 17:29:56

BuiltIn

Network

Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-12-10 17:29:56

BuiltIn

Network

a6f560f4-f582-4b67-b123-a37dcd1bf7ea

Configure network security groups to enable traffic analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-12-10 17:29:56

BuiltIn

Kubernetes

Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets

Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-12-10 17:29:56

BuiltIn

Network

0db34a60-64f4-4bf6-bd44-f95c16cf34b9

Deploy a flow log resource with target network security group

Fixed
deployIfNotExists

change

Patch (1.0.0 > 1.0.1)

2021-12-10 17:29:56

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

Audit Linux machines that have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.1.0 > 3.2.0)

2021-12-06 22:17:57

BuiltIn

Kubernetes

0adc5395-9169-4b9b-8687-af838d69410a

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.0 > 7.0.1)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-12-06 22:17:57

BuiltIn

Kubernetes

d3d1e68e-49d4-4b56-acff-93cef644b432

[Deprecated]: Kubernetes cluster containers should only listen on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.1.1 > 6.1.2)

2021-12-06 22:17:57

BuiltIn

Security Center

[Deprecated]: Configure Azure Defender for container registries to be enabled

Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.1 > 3.0.2)

2021-12-06 22:17:57

BuiltIn

Backup

ac01ad65-10e5-46df-bdd9-6b0cad13e1d2

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (4.0.0 > 5.0.0)

2021-12-06 22:17:57

BuiltIn

SQL

SQL managed instances should use customer-managed keys to encrypt data at rest

Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, old suffix: preview (1.0.0-preview > 2.0.0)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

Audit Linux machines that have accounts without passwords

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.3 > 7.0.4)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (2.0.1 > 2.0.2)

2021-12-06 22:17:57

BuiltIn

Kubernetes

[Deprecated]: Kubernetes clusters should gate deployment of vulnerable images

This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2021-12-06 22:17:57

BuiltIn

Security Center

615b01c4-d565-4f6f-8c6e-d130268e3a1a

[Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys)

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-12-06 22:17:57

BuiltIn

Backup

[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.1 > 3.0.2)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2021-12-06 22:17:57

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (4.0.0 > 5.0.0)

2021-12-06 22:17:57

BuiltIn

Security Center

Configure Microsoft Defender for Key Vault plan

Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities

Fixed
modify

change

Minor (1.0.0 > 1.1.0)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

958dbd4e-0e20-4385-a082-d3f20c2a6ad8

[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords

Fixed
deployIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Backup

[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2021-12-06 22:17:57

BuiltIn

Backup

523b5cd1-3e23-492f-a539-13118b6d1e3a

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (4.0.0 > 5.0.0)

2021-12-06 22:17:57

BuiltIn

Security Center

[Deprecated]: Azure Defender for Kubernetes should be enabled

Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.1 > 4.0.2)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Linux VMs that have accounts without passwords

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Security Center

Configure Azure Defender for Resource Manager to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.1 > 3.0.2)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

Linux machines should meet requirements for the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.2.0 > 1.3.0)

2021-12-06 22:17:57

BuiltIn

Security Center

[Deprecated]: Configure Azure Defender for DNS to be enabled

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

fee5cb2b-9d9b-410e-afe3-2902d90d0004

Audit Linux machines that don't have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed

Fixed
auditIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.1 > 5.0.2)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

Authentication to Linux machines should require SSH keys

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.1.0 > 2.2.0)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d

[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644

Fixed
deployIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Security Center

Configure Azure Defender for App Service to be enabled

Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (2.1.1 > 2.1.2)

2021-12-06 22:17:57

BuiltIn

Compute

a499fed8-bcc8-4195-b154-641f14743757

[Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.1 > 2.1.0)

2021-12-06 22:17:57

BuiltIn

Monitoring

Azure Monitor Private Link Scope should block access to non private link resources

Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-12-06 22:17:57

BuiltIn

Security Center

c9ddb292-b203-4738-aead-18e2716e858f

Configure Microsoft Defender for Containers to be enabled

Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-12-06 22:17:57

BuiltIn

Kubernetes

Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access

Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

add

new Policy

2021-12-06 22:17:57

BuiltIn

Guest Configuration

Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs

Fixed
deployIfNotExists

change

Minor (1.1.1 > 1.2.0)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Major (2.0.0 > 3.0.0)

2021-12-06 22:17:57

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (4.0.0 > 5.0.0)

2021-12-06 22:17:57

BuiltIn

Kubernetes

4d1c04de-2172-403f-901b-90608c35c721

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed

Fixed
deployIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

1e7fed80-8321-4605-b42c-65fc300f23a3

[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

[Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc

Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-12-06 22:17:57

BuiltIn

SQL

048248b0-55cd-46da-b1ff-39efd52db260

[Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest

This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 instead

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.2 > 1.0.2-deprecated)

2021-12-06 22:17:57

BuiltIn

165a4137-c3ed-4fd0-a17f-1c8a80266580

Fixed

add

new Policy

2021-12-06 22:17:57

BuiltIn

Monitoring

bec5db8e-c4e3-40f9-a545-e0bd00065c82

Configure Azure Monitor Private Link Scope to block access to non private link resources

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-12-06 22:17:57

BuiltIn

Security Center

1c988dd6-ade4-430f-a608-2a3e5b0a6d38

Microsoft Defender for Containers should be enabled

Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-12-06 22:17:57

BuiltIn

Guest Configuration

5b842acb-0fe7-41b0-9f40-880ec4ad84d8

[Deprecated]: Show audit results from Linux VMs that have the specified applications installed

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

Audit Linux machines that do not have the passwd file permissions set to 0644

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2021-12-06 22:17:57

BuiltIn

Kubernetes

133047bf-1369-41e3-a3be-74a11ed1395a

[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster

This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, suffix remains equal (4.0.1-deprecated > 4.0.2-deprecated)

2021-12-06 22:17:57

BuiltIn

Security Center

[Deprecated]: Configure Azure Defender for Kubernetes to be enabled

Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.1 > 4.0.2)

2021-12-06 22:17:57

BuiltIn

Kubernetes

c9c29499-c1d1-4195-99bd-2ec9e3a9dc89

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.1 > 3.0.2)

2021-12-06 22:17:57

BuiltIn

Monitoring

Deploy Diagnostic Settings for Network Security Groups

This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created.

Fixed
deployIfNotExists

change

Major (1.0.0 > 2.0.0)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.1 > 4.0.2)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.1.1 > 6.1.2)

2021-12-06 22:17:57

BuiltIn

Kubernetes

6b2122c1-8120-4ff5-801b-17625a355590

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.0 > 7.0.1)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.1 > 4.0.2)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

Fixed
modify

change

Minor (1.0.0 > 1.1.0)

2021-12-06 22:17:57

BuiltIn

Kubernetes

0d134df8-db83-46fb-ad72-fe0c9428c8dd

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.1 > 4.0.2)

2021-12-06 22:17:57

BuiltIn

SQL

[Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest

This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8 instead.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.0.1 > 2.0.1-deprecated)

2021-12-06 22:17:57

BuiltIn

Kubernetes

c25d9a16-bc35-4e15-a7e5-9db606bf9ed4

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.1 > 4.0.2)

2021-12-06 22:17:57

BuiltIn

Security Center

[Deprecated]: Azure Defender for container registries should be enabled

Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

af35e2a4-ef96-44e7-a9ae-853dd97032c4

Audit Linux machines that allow remote connections from accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2021-12-06 22:17:57

BuiltIn

App Platform

Azure Spring Cloud should use network injection

Default
Audit
Allowed
Audit, Disabled, Deny

change

Minor (1.0.0 > 1.1.0)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.1 > 4.0.2)

2021-12-06 22:17:57

BuiltIn

Kubernetes

884b209a-963b-4520-8006-d20cb3c213e0

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.2 > 4.0.3)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed

Fixed
deployIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

702dd420-7fcc-42c5-afe8-4026edd20fe0

[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.

Fixed
deployIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Compute

OS and data disks should be encrypted with a customer-managed key

Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2021-12-06 22:17:57

BuiltIn

Kubernetes

0a370ff3-6cab-4e85-8995-295fd854c5b8

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.1 > 3.0.2)

2021-12-06 22:17:57

BuiltIn

SQL

SQL servers should use customer-managed keys to encrypt data at rest

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, old suffix: preview (1.0.0-preview > 2.0.0)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords

Fixed
deployIfNotExists

change

Minor, suffix remains equal (3.0.0-deprecated > 3.1.0-deprecated)

2021-12-06 22:17:57

BuiltIn

Kubernetes

564feb30-bf6a-4854-b4bb-0d2d2d1e6c66

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.0.0 > 6.0.1)

2021-12-06 22:17:57

BuiltIn

Network

Web Application Firewall (WAF) should be enabled for Application Gateway

Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.1 > 2.0.0)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

Audit Windows machines that do not have the specified Windows PowerShell execution policy

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.1 > 4.0.2)

2021-12-06 22:17:57

BuiltIn

Kubernetes

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.1 > 3.0.2)

2021-12-06 22:17:57

BuiltIn

Guest Configuration

8893442c-e7cb-4637-bab8-299a5d4ed96a

Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

Fixed
deployIfNotExists

change

Minor (1.1.0 > 1.2.0)

2021-12-06 22:17:57

BuiltIn

Security Center

[Preview]: ChangeTracking extension should be installed on your Linux virtual machine

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

1288c8d7-4b05-4e3a-bc88-9053caefc021

Configure ChangeTracking Extension for Linux virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

221aac80-54d8-484b-83d7-24f4feac2ce0

[Preview]: ChangeTracking extension should be installed on your Windows virtual machine

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Kubernetes

d62cfe2b-3ab0-4d41-980d-76803b58ca65

[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

[Deprecated]: Log Analytics agent health issues should be resolved on your machines

Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2021-11-12 16:23:07

BuiltIn

Media Services

9285c3de-d5fd-4225-86d4-027894b0c442

[Deprecated]: Azure Media Services should use customer-managed keys to encrypt data at rest

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Kubernetes

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

013e242c-8828-4970-87b3-ab247555486d

[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 5.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Backup

Azure Backup should be enabled for Virtual Machines

Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 4.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

95406fc3-1f69-47b0-8105-4c03b276ec5c

[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot

Configure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 5.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Kubernetes

1cb4d9c2-f88f-4069-bee0-dba239a57b09

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 3.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Kubernetes

[Deprecated]: Kubernetes clusters should gate deployment of vulnerable images

This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, new suffix: preview (1.0.0 > 1.0.1-preview)

2021-11-12 16:23:07

BuiltIn

Kubernetes

a7f5e735-d212-4c32-9229-d12bffbc7e00

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.2 > 7.0.3)

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: ChangeTracking extension should be installed on your Windows Arc machine

Install ChangeTracking Extension on Windows Arc machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (3.0.0-preview > 6.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

fe8684d6-3c5b-45c0-a08b-fa92653c2e1c

[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (3.0.0-preview > 5.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Stream Analytics

Stream Analytics job should connect to trusted inputs and outputs

Default
Audit
Allowed
Deny, Disabled, Audit

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

7cb1b219-61c6-47e0-b80c-4472cadeeb5f

[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot

Configure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 3.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Data Factory

009259b0-12e8-42c9-94e7-7af86aa58d13

Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported

Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

Configure ChangeTracking Extension for Windows Arc machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

97566dd7-78ae-4997-8b36-1c7bfe0d8121

Configure ChangeTracking Extension for Linux virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: Secure Boot should be enabled on supported Windows virtual machines

Default
Audit
Allowed
Audit, Disabled

change

Major, suffix remains equal (1.0.0-preview > 3.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

e494853f-93c3-4e44-9210-d12f61a64b34

[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: Configure supported virtual machines to automatically enable vTPM

Configure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-11-12 16:23:07

BuiltIn

Kubernetes

055aa869-bc98-4af8-bafc-23f1ab6ffe2c

Azure Kubernetes Service clusters should have Defender profile enabled

Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks

Default
Audit
Allowed
Audit, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2021-11-12 16:23:07

BuiltIn

Network

Azure Web Application Firewall should be enabled for Azure Front Door entry-points

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2021-11-12 16:23:07

BuiltIn

Backup

4bb303db-d051-4099-95d2-e3e1428a4d00

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-11-12 16:23:07

BuiltIn

Security Center

ChangeTracking extension should be installed on your Windows virtual machine scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

1c30f9cd-b84c-49cc-aa2c-9288447cc3b3

[Preview]: vTPM should be enabled on supported virtual machines

Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines.

Default
Audit
Allowed
Audit, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Backup

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 4.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

fc47609f-4d9b-4aed-806b-446816cc63a3

Configure ChangeTracking Extension for Windows virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: ChangeTracking extension should be installed on your Linux Arc machine

Install ChangeTracking Extension on Linux Arc machines to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitoring Agent.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

e71c1e29-9c76-4532-8c4b-cb0573b0014c

ChangeTracking extension should be installed on your Linux virtual machine scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

4bb303db-d051-4099-95d2-e3e1428a4d2c

Configure ChangeTracking Extension for Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Backup

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-11-12 16:23:07

BuiltIn

Security Center

[Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (5.0.0-preview > 6.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Security Center

496e010e-fa91-4c00-be4b-92b481f67b58

Configure ChangeTracking Extension for Linux Arc machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-11-12 16:23:07

BuiltIn

Security Center

[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension

Configure virtual machines created with Shared Image Gallery images to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-11-12 16:23:07

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.1 > 7.0.2)

2021-10-25 16:02:14

BuiltIn

Key Vault

Certificates should not expire within the specified number of days

Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Version remains equal, new suffix: preview (2.0.1 > 2.0.1-preview)

2021-10-25 16:02:14

BuiltIn

SQL

Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace

Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2021-10-22 15:42:38

BuiltIn

Security Center

496e010e-fa91-4c00-be4b-92b481f67b58

[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.2 > 2.0.3)

2021-10-22 15:42:38

BuiltIn

Security Center

[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-10-22 15:42:38

BuiltIn

Security Center

[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-10-22 15:42:38

BuiltIn

Monitoring

Windows Arc-enabled machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-10-22 15:42:38

BuiltIn

Monitoring

Configure Windows Arc-enabled machines to run Azure Monitor Agent

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-10-22 15:42:38

BuiltIn

Monitoring

Windows virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-10-22 15:42:38

BuiltIn

Security Center

[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-10-22 15:42:38

BuiltIn

Monitoring

Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity

Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-10-22 15:42:38

BuiltIn

Security Center

[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-10-22 15:42:38

BuiltIn

Monitoring

Windows virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-10-22 15:42:38

BuiltIn

Security Center

009259b0-12e8-42c9-94e7-7af86aa58d13

[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-10-22 15:42:38

BuiltIn

Security Center

[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-10-22 15:42:38

BuiltIn

Monitoring

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-10-19 19:10:32

BuiltIn

Monitoring

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-10-19 19:10:32

BuiltIn

Monitoring

Linux virtual machine scale sets should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-10-19 19:10:32

BuiltIn

Monitoring

Configure Linux Arc-enabled machines to run Azure Monitor Agent

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-10-19 19:10:32

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-10-19 19:10:32

BuiltIn

Guest Configuration

Linux machines should meet requirements for the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, old suffix: preview (1.2.0-preview > 1.2.0)

2021-10-19 19:10:32

BuiltIn

Monitoring

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-10-19 19:10:32

BuiltIn

Monitoring

Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-10-19 19:10:32

BuiltIn

Guest Configuration

2c89a2e5-7285-40fe-afe0-ae8654b92fb2

Windows machines should meet requirements of the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, old suffix: preview (1.0.1-preview > 1.0.1)

2021-10-19 19:10:32

BuiltIn

Compute

[Deprecated]: Unattached disks should be encrypted

This policy audits any unattached disk without encryption enabled.

Default
Audit
Allowed
Audit, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2021-10-19 19:10:32

BuiltIn

6300012e-e9a4-4649-b41f-a85f5c43be91

Azure AI Search services should have local authentication methods disabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-10-19 19:10:32

BuiltIn

Monitoring

Linux virtual machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-10-19 19:10:32

BuiltIn

Monitoring

Linux Arc-enabled machines should have Azure Monitor Agent installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-10-19 19:10:32

BuiltIn

Monitoring

4eb216f2-9dba-4979-86e6-5d7e63ce3b75

[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs

Default
Modify
Allowed
Modify, Disabled

count: 003
•Managed Identity Contributor
•Managed Identity Operator
•Virtual Machine Contributor

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2021-10-19 19:10:32

BuiltIn

Configure Azure AI Search services to disable local authentication

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-10-19 19:10:32

BuiltIn

Monitoring

bef3f64c-5290-43b7-85b0-9b254eef4c47

Deploy Diagnostic Settings for Key Vault to Log Analytics workspace

Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-10-08 15:47:40

BuiltIn

Azure Arc

898f2439-3333-4713-af25-f1d78bc50556

Azure Arc Private Link Scopes should disable public network access

Disabling public network access improves security by ensuring that Azure Arc resources cannot connect via the public internet. Creating private endpoints can limit exposure of Azure Arc resources. Learn more at: https://aka.ms/arc/privatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

Azure Arc

55c4db33-97b0-437b-8469-c4f4498f5df9

Configure Azure Arc Private Link Scopes to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

Azure Arc

efa3f296-ff2b-4f38-bc0d-5ef12c965b68

Azure Arc-enabled servers should be configured with an Azure Arc Private Link Scope

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

HDInsight

2676090a-4baf-46ac-9085-4ac02cc50e3e

Configure Azure HDInsight clusters with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

Guest Configuration

Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs

Fixed
deployIfNotExists

change

Patch (1.1.0 > 1.1.1)

2021-10-08 15:47:40

BuiltIn

Azure Update Manager

d6eeba80-df61-4de5-8772-bc1b7852ba6b

Machines should be configured to periodically check for missing system updates

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

Azure Arc

Configure Azure Arc Private Link Scopes with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 003
•Azure Connected Machine Resource Administrator
•Kubernetes Cluster - Azure Arc Onboarding
•Network Contributor

add

new Policy

2021-10-08 15:47:40

BuiltIn

Azure Update Manager

44433aa3-7ec2-4002-93ea-65c65ff0310a

Configure periodic checking for missing system updates on azure virtual machines

Fixed
modify

add

new Policy

2021-10-08 15:47:40

BuiltIn

Security Center

Configure Azure Defender for open-source relational databases to be enabled

Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

Azure Arc

de0bc8ea-76e2-4fe2-a288-a07556d0e9c4

Configure Azure Arc Private Link Scopes to disable public network access

Disable public network access for your Azure Arc Private Link Scope so that associated Azure Arc resources cannot connect to Azure Arc services over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/arc/privatelink.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

Compute

7804b5c7-01dc-4723-969b-ae300cc07ff1

Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.2.0 > 2.0.0)

2021-10-08 15:47:40

BuiltIn

Machine Learning

Azure Machine Learning Computes should be in a virtual network

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

Azure Arc

7eab1da3-2bf0-4ff0-8303-1a4277c380e8

Azure Arc Private Link Scopes should be configured with a private endpoint

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Arc Private Link Scopes, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

HDInsight

43d6e3bd-fc6a-4b44-8b4d-2151d8736a11

Configure Azure HDInsight clusters to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure HDInsight clusters. Learn more at: https://aka.ms/hdi.pl.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

Azure Arc

a3461c8c-6c9d-4e42-a644-40ba8a1abf49

Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

Key Vault

ed7c8c13-51e7-49d1-8a43-8490431a0da2

Deploy Diagnostic Settings for Key Vault to Event Hub

Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-10-08 15:47:40

BuiltIn

Azure Update Manager

c8cc2f85-e019-4065-9fa3-5e6a2b2dde56

Configure periodic checking for missing system updates on azure Arc-enabled servers

Fixed
modify

add

new Policy

2021-10-08 15:47:40

BuiltIn

HDInsight

Azure HDInsight should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure HDInsight clusters, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/hdi.pl.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-10-08 15:47:40

BuiltIn

Guest Configuration

Audit Linux machines that do not have the passwd file permissions set to 0644

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-10-04 15:27:15

BuiltIn

Kubernetes

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Version remains equal, old suffix: preview (2.0.1-preview > 2.0.1)

2021-10-04 15:27:15

BuiltIn

Machine Learning

Azure Machine Learning Workspaces should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-10-04 15:27:15

BuiltIn

Guest Configuration

Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

Fixed
deployIfNotExists

change

Minor (1.0.1 > 1.1.0)

2021-10-04 15:27:15

BuiltIn

Guest Configuration

Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs

Fixed
deployIfNotExists

change

Minor (1.0.1 > 1.1.0)

2021-10-04 15:27:15

BuiltIn

Guest Configuration

Linux machines should only have local accounts that are allowed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-10-04 15:27:15

BuiltIn

Kubernetes

[Deprecated]: Kubernetes clusters should gate deployment of vulnerable images

This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)

2021-10-04 15:27:15

BuiltIn

Kubernetes

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Version remains equal, old suffix: preview (3.0.1-preview > 3.0.1)

2021-10-04 15:27:15

BuiltIn

Machine Learning

Configure Azure Machine Learning Workspaces to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-10-04 15:27:15

BuiltIn

Kubernetes

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Version remains equal, old suffix: preview (3.0.1-preview > 3.0.1)

2021-10-04 15:27:15

BuiltIn

Guest Configuration

Authentication to Linux machines should require SSH keys

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.1 > 2.1.0)

2021-10-04 15:27:15

BuiltIn

Kubernetes

5d4e3c65-4873-47be-94f3-6f8b953a3598

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Version remains equal, old suffix: preview (2.1.1-preview > 2.1.1)

2021-10-04 15:27:15

BuiltIn

Event Hub

Azure Event Hub namespaces should have local authentication methods disabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-10-04 15:27:15

BuiltIn

Security Center

af99038c-02fd-4a2f-ac24-386b62bf32de

[Preview]: Machines should have ports closed that might expose attack vectors

Azure's Terms Of Use prohibit the use of Azure services in ways that could damage, disable, overburden, or impair any Microsoft server, or the network. The exposed ports identified by this recommendation need to be closed for your continued security. For each identified port, the recommendation also provides an explanation of the potential threat.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-10-04 15:27:15

BuiltIn

Service Bus

910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e

Configure Azure Service Bus namespaces to disable local authentication

Disable local authentication methods so that your Azure ServiceBus namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-sb.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-10-04 15:27:15

BuiltIn

Guest Configuration

57f35901-8389-40bb-ac49-3ba4f86d889d

Audit Linux machines that have accounts without passwords

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-10-04 15:27:15

BuiltIn

Event Hub

Configure Azure Event Hub namespaces to disable local authentication

Disable local authentication methods so that your Azure Event Hub namespaces exclusively require Microsoft Entra ID identities for authentication. Learn more at: https://aka.ms/disablelocalauth-eh.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-10-04 15:27:15

BuiltIn

Guest Configuration

cfb11c26-f069-4c14-8e36-56c394dae5af

Audit Linux machines that allow remote connections from accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-10-04 15:27:15

BuiltIn

Service Bus

Azure Service Bus namespaces should have local authentication methods disabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-10-04 15:27:15

BuiltIn

Guest Configuration

Linux machines should meet requirements for the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)

2021-10-04 15:27:15

BuiltIn

Guest Configuration

98a2e215-5382-489e-bd29-32e7190a39ba

Audit Linux machines that have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (3.0.0 > 3.1.0)

2021-10-04 15:27:15

BuiltIn

Network

Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace

Deploy diagnostic settings to Azure Network Security Groups to stream resource logs to a Log Analytics workspace.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-27 15:52:17

BuiltIn

Monitoring

2c89a2e5-7285-40fe-afe0-ae8654b92fab

Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-09-27 15:52:17

BuiltIn

Network

[Deprecated]: SSH access from the Internet should be blocked

This policy is deprecated. This policy audits any network security rule that allows SSH access from Internet

Default
Audit
Allowed
Audit, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2021-09-27 15:52:17

BuiltIn

Monitoring

efbde977-ba53-4479-b8e9-10b957924fbf

The Log Analytics extension should be installed on Virtual Machine Scale Sets

This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-09-27 15:52:17

BuiltIn

Security Center

bdc59948-5574-49b3-bb91-76b7c986428d

[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure machines to automatically create an association with the default data collection rule for Microsoft Defender for Cloud.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-27 15:52:17

BuiltIn

Security Center

[Deprecated]: Azure Defender for DNS should be enabled

This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 4da35fc9-c9e7-4960-aec9-797fe7d9051d. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)

2021-09-27 15:52:17

BuiltIn

Monitoring

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-09-27 15:52:17

BuiltIn

SQL

3d8640fc-63f6-4734-8dcb-cfd3d8c78f38

[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2021-09-27 15:52:17

BuiltIn

Compute

[Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs

This policy deploys the Log Analytics Extension on Ubuntu VMs, and connects to the selected Log Analytics workspace

Fixed
deployIfNotExists

change

Patch, suffix remains equal (1.0.0-deprecated > 1.0.1-deprecated)

2021-09-27 15:52:17

BuiltIn

Kubernetes

ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee

[Deprecated]: Kubernetes clusters should gate deployment of vulnerable images

This policy definition is no longer the recommended way to achieve its intent. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-09-27 15:52:17

BuiltIn

Synapse

Configure Synapse workspaces to have auditing enabled

To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2021-09-27 15:52:17

BuiltIn

Monitoring

a70ca396-0a34-413a-88e1-b956c1e683be

[Deprecated]: Virtual machines should have the Log Analytics extension installed

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-09-27 15:52:17

BuiltIn

Monitoring

Configure Log Analytics extension on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-09-27 15:52:17

BuiltIn

Monitoring

1e7fed80-8321-4605-b42c-65fc300f23a3

[Deprecated]: Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-09-27 15:52:17

BuiltIn

Guest Configuration

[Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc

Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-27 15:52:17

BuiltIn

Storage

92a89a79-6c52-4a7e-a03f-61306fc49312

Storage accounts should prevent cross tenant object replication

Audit restriction of object replication for your storage account. By default, users can configure object replication with a source storage account in one Azure AD tenant and a destination account in a different tenant. It is a security concern because customer's data can be replicated to a storage account that is owned by the customer. By setting allowCrossTenantReplication to false, objects replication can be configured only if both source and destination accounts are in the same Azure AD tenant.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-09-27 15:52:17

BuiltIn

Guest Configuration

4078e558-bda6-41fb-9b3c-361e8875200d

[Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc

Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-27 15:52:17

BuiltIn

Monitoring

32133ab0-ee4b-4b44-98d6-042180979d50

[Deprecated]: Log Analytics Extension should be enabled for listed virtual machine images

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)

2021-09-27 15:52:17

BuiltIn

Security Center

e372f825-a257-4fb8-9175-797a8a8627d6

[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.1.0-preview > 3.0.0-preview)

2021-09-27 15:52:17

BuiltIn

Network

[Deprecated]: RDP access from the Internet should be blocked

This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet

Default
Audit
Allowed
Audit, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2021-09-27 15:52:17

BuiltIn

Monitoring

Deploy Log Analytics extension for Linux VMs. See deprecation notice below

Fixed
deployIfNotExists

change

Patch (2.0.0 > 2.0.1)

2021-09-27 15:52:17

BuiltIn

Monitoring

84d327c3-164a-4685-b453-900478614456

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-09-27 15:52:17

BuiltIn

Key Vault

[Preview]: Configure Azure Key Vault Managed HSM to disable public network access

Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm.

Default
Modify
Allowed
Modify, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-09-27 15:52:17

BuiltIn

Kubernetes

d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (7.0.0 > 7.0.1)

2021-09-27 15:52:17

BuiltIn

Monitoring

[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines

This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2021-09-27 15:52:17

BuiltIn

Monitoring

842c54e8-c2f9-4d79-ae8d-38d8b8019373

[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines

This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2021-09-27 15:52:17

BuiltIn

Monitoring

[Deprecated]: Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-09-27 15:52:17

BuiltIn

Kubernetes

2dd0e8b9-4289-4bb0-b813-1883298e9924

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.1 > 4.0.0)

2021-09-21 16:12:09

BuiltIn

Event Grid

Configure Azure Event Grid partner namespaces to disable local authentication

Disable local authentication methods so that your Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-09-21 16:12:09

BuiltIn

Kubernetes

245fc9df-fa96-4414-9a0b-3738c2f7341c

Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-09-21 16:12:09

BuiltIn

Kubernetes

Resource logs in Azure Kubernetes Service should be enabled

Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-21 16:12:09

BuiltIn

Kubernetes

30d1d58e-8f96-47a5-8564-499a3f3cca81

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.1 > 4.0.2)

2021-09-21 16:12:09

BuiltIn

Automation

Configure Azure Automation account to disable local authentication

Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-09-21 16:12:09

BuiltIn

Event Grid

ae9fb87f-8a17-4428-94a4-8135d431055c

Azure Event Grid topics should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-09-21 16:12:09

BuiltIn

Event Grid

1c8144d9-746a-4501-b08c-093c8d29ad04

Configure Azure Event Grid topics to disable local authentication

Disable local authentication methods so that your Azure Event Grid topics exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-09-21 16:12:09

BuiltIn

Automation

48c5f1cb-14ad-4797-8e3b-f78ab3f8d700

Azure Automation account should have local authentication method disabled

Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-09-21 16:12:09

BuiltIn

Event Grid

8bfadddb-ee1c-4639-8911-a38cb8e0b3bd

Azure Event Grid domains should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-09-21 16:12:09

BuiltIn

Event Grid

8632b003-3545-4b29-85e6-b2b96773df1e

Azure Event Grid partner namespaces should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Azure Event Grid partner namespaces exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-09-21 16:12:09

BuiltIn

Event Grid

8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1

Configure Azure Event Grid domains to disable local authentication

Disable local authentication methods so that your Azure Event Grid domains exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aeg-disablelocalauth.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-09-21 16:12:09

BuiltIn

Security Center

84d327c3-164a-4685-b453-900478614456

[Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (4.0.0-preview > 5.0.0-preview)

2021-09-13 16:35:32

BuiltIn

Key Vault

[Preview]: Configure Azure Key Vault Managed HSM to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Security Center

[Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2021-09-13 16:35:32

BuiltIn

Security Center

Configure machines to receive a vulnerability assessment provider

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (2.1.0-preview > 2.2.0-preview)

2021-09-13 16:35:32

BuiltIn

Security Center

0367cfc4-90b3-46ba-a8a6-ddd5d3514878

[Deprecated]: Azure Security agent should be installed on your Windows virtual machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Security Center

[Deprecated]: Azure Security agent should be installed on your Windows Arc machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Monitoring

62b52eae-c795-44e3-94e8-1b3d264766fb

Deploy Diagnostic Settings for Service Bus to Log Analytics workspace

Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-09-13 16:35:32

BuiltIn

Security Center

[Deprecated]: Azure Security agent should be installed on your Linux virtual machine scale sets

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Security Center

1f300abb-f5a0-41c3-a163-91bd3ed35de7

[Deprecated]: Azure Security agent should be installed on your Linux Arc machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Security Center

e8794316-d918-4565-b57d-6b38a06381a0

[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.1 > 2.0.2)

2021-09-13 16:35:32

BuiltIn

Security Center

[Deprecated]: Azure Security agent should be installed on your Linux virtual machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Security Center

6654c8c4-e6f8-43f8-8869-54327af7ce32

[Deprecated]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Security Center

[Deprecated]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Security Center

d01f3018-de9f-4d75-8dae-d12c1875da9f

[Deprecated]: Configure supported Windows Arc machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Security Center

[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2021-09-13 16:35:32

BuiltIn

Security Center

2f47ec78-4301-4655-b78e-b29377030cdc

[Deprecated]: Azure Security agent should be installed on your Windows virtual machine scale sets

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Security Center

[Deprecated]: Configure supported Linux Arc machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-13 16:35:32

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2021-09-08 15:39:57

BuiltIn

Kubernetes

ad5621d6-a877-4407-aa93-a950b428315e

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2021-09-08 15:39:57

BuiltIn

Bot Service

BotService resources should use private link

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

App Service

6a4e6f44-f2af-4082-9702-033c9e88b9f8

App Service apps should have local authentication methods disabled for FTP deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

Bot Service

Configure BotService resources to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to BotService related resources. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

App Service

Configure App Service app slots to disable local authentication for SCM sites

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.0 > 3.0.1)

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, suffix remains equal (3.0.0-preview > 3.0.1-preview)

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2021-09-08 15:39:57

BuiltIn

Kubernetes

702133e5-5ec5-4f90-9638-c78e22f13b39

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2021-09-08 15:39:57

BuiltIn

SignalR

Configure Azure SignalR Service to disable local authentication

Disable local authentication methods so that your Azure SignalR Service exclusively requires Azure Active Directory identities for authentication.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, suffix remains equal (2.1.0-preview > 2.1.1-preview)

2021-09-08 15:39:57

BuiltIn

App Service

App Service app slots should have local authentication methods disabled for SCM site deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, suffix remains equal (3.0.0-preview > 3.0.1-preview)

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.0 > 3.0.1)

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.0 > 5.0.1)

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.0 > 3.0.1)

2021-09-08 15:39:57

BuiltIn

App Service

App Service apps should have local authentication methods disabled for SCM site deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2021-09-08 15:39:57

BuiltIn

Kubernetes

fe1c9040-c46a-4e81-9aea-c7850fbb3aa6

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.0 > 3.0.1)

2021-09-08 15:39:57

BuiltIn

Healthcare APIs

CORS should not allow every domain to access your FHIR Service

Default
Audit
Allowed
audit, Audit, disabled, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

App Service

App Service app slots should have local authentication methods disabled for FTP deployments

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (3.0.0 > 3.0.1)

2021-09-08 15:39:57

BuiltIn

SQL

[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-09-08 15:39:57

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2021-09-08 15:39:57

BuiltIn

App Service

Configure App Service apps to disable local authentication for SCM sites

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

Kubernetes

672d56b3-23a7-4a3c-a233-b77ed7777518

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)

2021-09-08 15:39:57

BuiltIn

Internet of Things

Azure IoT Hub should have local authentication methods disabled for Service Apis

Disabling local authentication methods improves security by ensuring that Azure IoT Hub exclusively require Azure Active Directory identities for Service Api authentication. Learn more at: https://aka.ms/iothubdisablelocalauth.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

App Service

Configure App Service apps to disable local authentication for FTP deployments

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

App Service

Configure App Service app slots to disable local authentication for FTP deployments

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

Kubernetes

29261f8e-efdb-4255-95b8-8215414515d6

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2021-09-08 15:39:57

BuiltIn

Bot Service

Configure BotService resources with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your BotService resource, you can reduce data leakage risks.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

Kubernetes

9f8ba900-a70f-486e-9ffc-faf907305376

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (4.0.0 > 4.0.1)

2021-09-08 15:39:57

BuiltIn

Internet of Things

Configure Azure IoT Hub to disable local authentication

Disable local authentication methods so that your Azure IoT Hub exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/iothubdisablelocalauth.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-09-08 15:39:57

BuiltIn

Kubernetes

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

change

Major (1.0.0 > 2.0.0)

2021-08-30 14:27:30

BuiltIn

Key Vault

Certificates should not expire within the specified number of days

Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, old suffix: preview (2.0.0-preview > 2.0.1)

2021-08-30 14:27:30

BuiltIn

Storage

Storage account public access should be disallowed

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, suffix remains equal (2.0.1-preview > 3.0.1-preview)

2021-08-30 14:27:30

BuiltIn

Kubernetes

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-08-30 14:27:30

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.0 > 5.0.0)

2021-08-30 14:27:30

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-08-30 14:27:30

BuiltIn

SQL

b0eb591a-5e70-4534-a8bf-04b9c489584a

Configure SQL servers to have auditing enabled

To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-08-30 14:27:30

BuiltIn

Key Vault

Secrets should have more than the specified number of days before expiration

If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Security Center

8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2

[Deprecated]: Endpoint protection health issues should be resolved on your machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-08-30 14:27:30

BuiltIn

Key Vault

49a22571-d204-4c91-a7b6-09b1a586fbc9

Keys should have the specified maximum validity period

Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Key Vault

342e8053-e12e-4c44-be01-c3c2f318400f

Secrets should have the specified maximum validity period

Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Monitoring

0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6

Azure Monitor Private Link Scope should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-08-30 14:27:30

BuiltIn

Key Vault

152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0

Key Vault keys should have an expiration date

Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.1-preview > 1.0.2)

2021-08-30 14:27:30

BuiltIn

Key Vault

e8d99835-8a06-45ae-a8e0-87a91941ccfe

Secrets should not be active for longer than the specified number of days

If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Key Vault

75262d3e-ba4a-4f43-85f8-9f72c090e5e3

Secrets should have content type set

A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Kubernetes

df73bd95-24da-4a4f-96b9-4e8b94b402bd

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, suffix remains equal (2.1.0-preview > 3.0.0-preview)

2021-08-30 14:27:30

BuiltIn

API Management

API Management should disable public network access to the service configuration endpoints

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-08-30 14:27:30

BuiltIn

Key Vault

Certificates should use allowed key types

Manage your organizational compliance requirements by restricting the key types allowed for certificates.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, old suffix: preview (2.0.0-preview > 2.0.1)

2021-08-30 14:27:30

BuiltIn

Kubernetes

82067dbb-e53b-4e06-b631-546d197452d9

[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-08-30 14:27:30

BuiltIn

Key Vault

Keys using RSA cryptography should have a specified minimum key size

Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Kubernetes

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.0.0 > 7.0.0)

2021-08-30 14:27:30

BuiltIn

Kubernetes

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-08-30 14:27:30

BuiltIn

Key Vault

Certificates using elliptic curve cryptography should have allowed curve names

Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, old suffix: preview (2.0.0-preview > 2.0.1)

2021-08-30 14:27:30

BuiltIn

Key Vault

98728c90-32c7-4049-8429-847dc0f4fe37

Certificates using RSA cryptography should have the specified minimum key size

Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, old suffix: preview (2.0.0-preview > 2.0.1)

2021-08-30 14:27:30

BuiltIn

Key Vault

Key Vault secrets should have an expiration date

Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.1-preview > 1.0.2)

2021-08-30 14:27:30

BuiltIn

Kubernetes

75c4f823-d65c-4f29-a733-01d0077fdbcb

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-08-30 14:27:30

BuiltIn

Key Vault

Keys should be the specified cryptographic type RSA or EC

Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Key Vault

Certificates should be issued by the specified non-integrated certificate authority

Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, old suffix: preview (2.0.0-preview > 2.0.1)

2021-08-30 14:27:30

BuiltIn

Key Vault

1f7c564c-0a90-4d44-b7e1-9d456cffaee8

Certificates should have the specified lifetime action triggers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, old suffix: preview (2.0.0-preview > 2.0.1)

2021-08-30 14:27:30

BuiltIn

Security Center

[Deprecated]: Endpoint protection should be installed on your machines

To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-08-30 14:27:30

BuiltIn

API Management

7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2

Configure API Management services to disable access to API Management public service configuration endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-08-30 14:27:30

BuiltIn

Key Vault

Certificates should be issued by the specified integrated certificate authority

Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, old suffix: preview (2.0.0-preview > 2.0.1)

2021-08-30 14:27:30

BuiltIn

Kubernetes

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-08-30 14:27:30

BuiltIn

Kubernetes

ff25f3c8-b739-4538-9d07-3d6d25cfb255

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-08-30 14:27:30

BuiltIn

Key Vault

Keys using elliptic curve cryptography should have the specified curve names

Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Kubernetes

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-08-30 14:27:30

BuiltIn

Kubernetes

587c79fe-dd04-4a5e-9d0b-f89598c7261b

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.0 > 4.0.0)

2021-08-30 14:27:30

BuiltIn

Key Vault

Keys should be backed by a hardware security module (HSM)

An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Key Vault

5ff38825-c5d8-47c5-b70e-069a21955146

Keys should have more than the specified number of days before expiration

If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Key Vault

c26e4b24-cf98-4c67-b48b-5a25c4c69eb9

Keys should not be active for longer than the specified number of days

Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, old suffix: preview (1.0.0-preview > 1.0.1)

2021-08-30 14:27:30

BuiltIn

Kubernetes

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-08-30 14:27:30

BuiltIn

Security Center

59fee2f4-d439-4f1b-9b9a-982e1474bfd8

[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-08-23 14:26:16

BuiltIn

Key Vault

[Preview]: Azure Key Vault Managed HSM should use private link

Private link provides a way to connect Azure Key Vault Managed HSM to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-08-23 14:26:16

BuiltIn

Security Center

95406fc3-1f69-47b0-8105-4c03b276ec5c

[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-08-23 14:26:16

BuiltIn

Cognitive Services

[Deprecated]: Cognitive Services accounts should disable public network access

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Major (1.0.1 > 2.0.0)

2021-08-23 14:26:16

BuiltIn

Cognitive Services

d1d6d8bb-cc7c-420f-8c7d-6f6f5279a844

[Deprecated]: Cognitive Services should use private link

Default
Audit
Allowed
Audit, Disabled

change

Major (1.0.0 > 2.0.0)

2021-08-23 14:26:16

BuiltIn

Key Vault

[Preview]: Configure Azure Key Vault Managed HSM with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Key Vault Managed HSM, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-08-23 14:26:16

BuiltIn

Storage

19ea9d63-adee-4431-a95e-1913c6c1c75f

Storage accounts should use customer-managed key for encryption

Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.2 > 1.0.3)

2021-08-23 14:26:16

BuiltIn

Key Vault

[Preview]: Azure Key Vault Managed HSM should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-23 14:26:16

BuiltIn

Storage

bfecdea6-31c4-4045-ad42-71b9dc87247d

Storage account encryption scopes should use double encryption for data at rest

Enable infrastructure encryption for encryption at rest of your storage account encryption scopes for added security. Infrastructure encryption ensures that your data is encrypted twice.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-23 14:26:16

BuiltIn

Security Center

[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-08-23 14:26:16

BuiltIn

Security Center

[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-08-23 14:26:16

BuiltIn

Security Center

[Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (3.0.0-preview > 4.0.0-preview)

2021-08-23 14:26:16

BuiltIn

Azure Ai Services

Azure AI Services resources should restrict network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2021-08-23 14:26:16

BuiltIn

Cognitive Services

Configure Cognitive Services accounts with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-08-23 14:26:16

BuiltIn

Kubernetes

Azure Kubernetes Service clusters should have Defender profile enabled

Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-08-23 14:26:16

BuiltIn

Kubernetes

Configure Azure Kubernetes Service clusters to enable Defender profile

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-08-23 14:26:16

BuiltIn

Security Center

ffea632e-4e3a-4424-bf78-10e179bb2e1a

[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-08-23 14:26:16

BuiltIn

Bot Service

Bot Service should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that a bot uses AAD exclusively for authentication.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-23 14:26:16

BuiltIn

SQL

c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd

Configure Azure Defender to be enabled on SQL managed instances

Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-08-23 14:26:16

BuiltIn

Cognitive Services

47ba1dd7-28d9-4b07-a8d5-9813bed64e0c

Configure Cognitive Services accounts to disable public network access

Default
Modify
Allowed
Disabled, Modify

change

Major (1.0.0 > 2.0.0)

2021-08-23 14:26:16

BuiltIn

0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6

n/a

remove

0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6

2021-08-16 16:08:10 (i)

BuiltIn

Media Services

8bfe3603-0888-404a-87ff-5c1b6b4cc5e3

[Deprecated]: Azure Media Services accounts should disable public network access

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-13 17:07:49

BuiltIn

Kubernetes

0a370ff3-6cab-4e85-8995-295fd854c5b8

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.1.0 > 7.0.0)

2021-08-13 17:07:49

BuiltIn

SQL

SQL servers should use customer-managed keys to encrypt data at rest

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-13 17:07:49

BuiltIn

SQL

78215662-041e-49ed-a9dd-5385911b3a1f

Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-13 17:07:49

BuiltIn

SQL

ac01ad65-10e5-46df-bdd9-6b0cad13e1d2

SQL managed instances should use customer-managed keys to encrypt data at rest

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-13 17:07:49

BuiltIn

SQL

abda6d70-9778-44e7-84a8-06713e6db027

Azure SQL Database should have Microsoft Entra-only authentication enabled during creation

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-13 17:07:49

BuiltIn

Kubernetes

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2021-08-13 17:07:49

BuiltIn

SQL

524b0254-c285-4903-bee6-bb8126cde579

[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-08-09 19:32:42

BuiltIn

Container Registry

Container registries should have exports disabled

Disabling exports improves security by ensuring data in a registry is accessed solely via the dataplane ('docker pull'). Data cannot be moved out of the registry via 'acr import' or via 'acr transfer'. In order to disable exports, public network access must be disabled. Learn more at: https://aka.ms/acr/export-policy.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-09 19:32:42

BuiltIn

Batch

4dbc2f5c-51cf-4e38-9179-c7028eed2274

Configure Batch accounts to disable local authentication

Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-08-09 19:32:42

BuiltIn

Kubernetes

993c2fcd-2b29-49d2-9eb0-df2c3a730c32

Azure Kubernetes Service Clusters should have local authentication methods disabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-09 19:32:42

BuiltIn

SignalR

f70eecba-335d-4bbc-81d5-5b17b03d498f

Azure SignalR Service should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Azure SignalR Service exclusively require Azure Active Directory identities for authentication.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-09 19:32:42

BuiltIn

Batch

6f68b69f-05fe-49cd-b361-777ee9ca7e35

Batch accounts should have local authentication methods disabled

Disabling local authentication methods improves security by ensuring that Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-08-09 19:32:42

BuiltIn

Batch

1760f9d4-7206-436e-a28f-d9f3a5c8a227

Azure Batch pools should have disk encryption enabled

Enabling Azure Batch disk encryption ensures that data is always encrypted at rest on your Azure Batch compute node. Learn more about disk encryption in Batch at https://docs.microsoft.com/azure/batch/disk-encryption.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2021-08-09 19:32:42

BuiltIn

Machine Learning

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (2.1.0-preview > 3.0.0-preview)

2021-08-02 15:58:22

BuiltIn

Machine Learning

[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-08-02 15:58:22

BuiltIn

Machine Learning

[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes

Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-08-02 15:58:22

BuiltIn

Machine Learning

[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (2.1.0-preview > 3.0.0-preview)

2021-08-02 15:58:22

BuiltIn

Machine Learning

[Preview]: Configure allowed registries for specified Azure Machine Learning computes

Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-08-02 15:58:22

BuiltIn

Machine Learning

deeddb44-9f94-4903-9fa0-081d524406e3

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (2.1.0-preview > 3.1.0-preview)

2021-08-02 15:58:22

BuiltIn

Backup

[Preview]: Azure Recovery Services vaults should use private link for backup

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints.

Default
Audit
Allowed
Audit, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-07-30 15:17:20

BuiltIn

Security Center

133047bf-1369-41e3-a3be-74a11ed1395a

[Deprecated]: Configure Azure Defender for Kubernetes to be enabled

Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Network

21a6bc25-125e-4d13-b82d-2e19b7208ab7

VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users

Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Monitoring

8e86a5b6-b9bd-49d1-8e21-4bb8a0862222

Configure Dependency agent on Azure Arc enabled Linux servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.2.0 > 2.0.0)

2021-07-30 15:17:20

BuiltIn

Security Center

Configure Azure Defender for servers to be enabled

Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Monitoring

044985bb-afe1-42cd-8a36-9d5d42424537

Configure Log Analytics extension on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.2.0 > 2.0.0)

2021-07-30 15:17:20

BuiltIn

Storage

Storage account keys should not be expired

Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (2.0.0 > 3.0.0)

2021-07-30 15:17:20

BuiltIn

Security Center

76a56461-9dc0-40f0-82f5-2453283afa2f

[Deprecated]: Configure Azure Defender for DNS to be enabled

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Azure AI Search services should use customer-managed keys to encrypt data at rest

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

SQL

d3ba9c42-9dd5-441a-957c-274031c750c0

Configure SQL servers to have auditing enabled

To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.2.0 > 2.0.0)

2021-07-30 15:17:20

BuiltIn

Monitoring

Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-07-30 15:17:20

BuiltIn

SQL

36d49e87-48c4-4f2e-beed-ba4ed02b71f5

Configure Azure Defender to be enabled on SQL servers

Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Fixed
DeployIfNotExists

change

Minor (2.0.0 > 2.1.0)

2021-07-30 15:17:20

BuiltIn

Security Center

08a6b96f-576e-47a2-8511-119a212d344d

Configure Microsoft Defender for Key Vault plan

Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Azure Edge Hardware Center

Azure Edge Hardware Center devices should have double encryption support enabled

Ensure that devices ordered from Azure Edge Hardware Center have double encryption support enabled, to secure the data at rest on the device. This option adds a second layer of data encryption.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Monitoring

c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd

Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.2.0 > 2.0.0)

2021-07-30 15:17:20

BuiltIn

SQL

Configure Azure Defender to be enabled on SQL managed instances

Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Security Center

50ea7265-7d8c-429e-9a7d-ca1f410191c3

Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance

Fixed
deployIfNotExists

change

Major (3.0.0 > 4.0.0)

2021-07-30 15:17:20

BuiltIn

Security Center

Configure Azure Defender for SQL servers on machines to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Security Center

0a9fbe0d-c5c4-4da8-87d8-f4fd77338835

Azure Defender for open-source relational databases should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Backup

af783da1-4ad1-42be-800d-d19c70038820

[Preview]: Configure Recovery Services vaults to use private DNS zones for backup

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2021-07-30 15:17:20

BuiltIn

Security Center

d3d1e68e-49d4-4b56-acff-93cef644b432

Deploy export to Event Hub for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

change

Major (3.0.0 > 4.0.0)

2021-07-30 15:17:20

BuiltIn

Security Center

[Deprecated]: Configure Azure Defender for container registries to be enabled

Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Security Center

b99b73e7-074b-4089-9395-b7236f094491

Deploy Workflow Automation for Microsoft Defender for Cloud alerts

Fixed
deployIfNotExists

change

Major (3.0.0 > 4.0.0)

2021-07-30 15:17:20

BuiltIn

Security Center

Configure Azure Defender for Azure SQL database to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Security Center

b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d

Configure Azure Defender for Resource Manager to be enabled

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Security Center

Configure Azure Defender for App Service to be enabled

Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Security Center

74c30959-af11-47b3-9ed2-a26e03f427a3

[Deprecated]: Configure Microsoft Defender for Storage (Classic) to be enabled

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-30 15:17:20

BuiltIn

Security Center

Deploy Workflow Automation for Microsoft Defender for Cloud recommendations

Fixed
deployIfNotExists

change

Major (3.0.0 > 4.0.0)

2021-07-30 15:17:20

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.2.1 > 2.0.0)

2021-07-30 15:17:20

BuiltIn

Security Center

17k78e20-9358-41c9-923c-fb736d382a12

Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

change

Major (3.0.0 > 4.0.0)

2021-07-30 15:17:20

BuiltIn

SQL

Transparent Data Encryption on SQL databases should be enabled

Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-07-16 14:58:38

BuiltIn

SQL

86a912f6-9a06-4e26-b447-11b16ba8659f

Deploy SQL DB transparent data encryption

Enables transparent data encryption on SQL databases

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-07-16 14:58:38

BuiltIn

Cache

5d8094d7-7340-465a-b6fd-e60ab7e48920

Configure Azure Cache for Redis with private endpoints

Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-15 16:24:53

BuiltIn

Security Center

[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-07-15 16:24:53

BuiltIn

Cosmos DB

dddfa1af-dcd6-42f4-b5b0-e1db01e0b405

Azure Cosmos DB accounts should have firewall rules

Default
Deny
Allowed
Audit, Deny, Disabled

change

Major (1.0.1 > 2.0.0)

2021-07-15 16:24:53

BuiltIn

Monitoring

Configure Azure Application Insights components to disable public network access for log ingestion and querying

Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights.

Default
Modify
Allowed
Modify, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-07-15 16:24:53

BuiltIn

Monitoring

437914ee-c176-4fff-8986-7e05eb971365

Configure Azure Monitor Private Link Scope to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Service Bus

ebaf4f25-a4e8-415f-86a8-42d9155bef0b

Service Bus namespaces should have double encryption enabled

Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Event Hub

836cd60e-87f3-4e6a-a27c-29d687f01a4c

Event Hub namespaces should have double encryption enabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Cosmos DB

dc2d41d1-4ab1-4666-a3e1-3d51c43e0049

Configure Cosmos DB database accounts to disable local authentication

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Monitoring

dddfa1af-dcd6-42f4-b5b0-e1db01e0b405

Configure Azure Application Insights components to disable public network access for log ingestion and querying

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Media Services

4a591bf5-918e-4a5f-8dad-841863140d61

[Deprecated]: Azure Media Services should use private link

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Media Services

c5632066-946d-4766-9544-cd79bcc1286e

[Deprecated]: Configure Azure Media Services with private endpoints

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

App Service

687aa49d-0982-40f8-bf6b-66d1da97a04b

App Service apps should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Monitoring

d3ba9c42-9dd5-441a-957c-274031c750c0

Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Media Services

b4a7f6c1-585e-4177-ad5b-c2c93f4bb991

[Deprecated]: Configure Azure Media Services to use private DNS zones

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Monitoring

0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6

Azure Monitor Private Link Scope should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Security Center

c3d20c29-b36d-48fe-808b-99a87530ad99

Azure Defender for Resource Manager should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)

2021-07-07 15:26:31

BuiltIn

Cosmos DB

5450f5bd-9c72-4390-a9c4-a7aba4edfdd2

Cosmos DB database accounts should have local authentication methods disabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Monitoring

e8185402-357b-4768-8058-f620bc0ae6b5

Configure Azure Monitor Private Link Scopes with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

Storage

044985bb-afe1-42cd-8a36-9d5d42424537

Storage account keys should not be expired

Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2021-07-07 15:26:31

BuiltIn

App Service

b318f84a-b872-429b-ac6d-a01b96814452

App Service apps should use a SKU that supports private link

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-07-07 15:26:31

BuiltIn

App Service

Configure App Service apps to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

Monitoring

8e3e61b3-0b32-22d5-4edf-55f87fdb5955

Configure Log Analytics workspace and automation account to centralize logs and monitoring

Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

Monitoring

0c4bd2e8-8872-4f37-a654-03f6f38ddc76

Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger.

To support private link and customer-managed key policies, create your own storage account for profiler and debugger. Learn more in https://docs.microsoft.com/azure/azure-monitor/app/profiler-bring-your-own-storage

Default
Audit
Allowed
Deny, Audit, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

App Service

63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7

[Deprecated]: App Services should disable public network access

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

Security Center

817dcf37-e83d-4999-a472-644eada2ea1e

[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent

This policy is deprecated as part of Microsoft Defender for Cloud updated strategy. As part of this strategy, Azure Monitor agent is no longer required to receive Defender for Servers security features, but is required for Defender for SQL Server on machines. For more information visit: https://aka.ms/MdcAgentStrategy. Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

App Service

App Service Environment should be configured with strongest TLS Cipher suites

The two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

App Service

eb4d34ab-0929-491c-bbf3-61e13da19f9a

App Service apps should have resource logs enabled

Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 1.0.0)

2021-06-22 14:29:30

BuiltIn

App Service

App Service Environment should be provisioned with latest versions

Only allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

App Service

235359c5-7c52-4b82-9055-01c75cf9f60e

App Service apps should be injected into a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

Network

[Deprecated]: Service Bus should use a virtual network service endpoint

This policy audits any Service Bus not configured to use a virtual network service endpoint. The resource type Microsoft.ServiceBus/namespaces/virtualNetworkRules is deprecated in the latest API version.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2021-06-22 14:29:30

BuiltIn

Monitoring

e15effd4-2278-4c65-a0da-4d6f6d1890e2

Log Analytics Workspaces should block non-Azure Active Directory based ingestion.

Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system.

Default
Audit
Allowed
Deny, Audit, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

App Service

81dff7c0-4020-4b58-955d-c076a2136b56

[Deprecated]: Configure App Services to disable public network access

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

Monitoring

199d5677-e4d9-4264-9465-efe1839c06bd

Application Insights components should block non-Azure Active Directory based ingestion.

Default
Audit
Allowed
Deny, Audit, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

Security Center

951af2fa-529b-416e-ab6e-066fd85ac459

[Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-06-22 14:29:30

BuiltIn

Key Vault

Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace

Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-06-22 14:29:30

BuiltIn

Security Center

2d048aca-6479-4923-88f5-e2ac295d9af3

[Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-06-22 14:29:30

BuiltIn

App Service

App Service Environment apps should not be reachable over public internet

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

App Service

d79ab062-dffd-4318-8344-f70de714c0bc

[Deprecated]: App Service should disable public network access

Disabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint.

Default
Audit
Allowed
Audit, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2021-06-22 14:29:30

BuiltIn

Storage

8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54

Storage accounts should prevent shared key access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-06-22 14:29:30

BuiltIn

Data Lake

c95c74d9-38fe-4f0d-af86-0c7d626a315c

Resource logs in Data Lake Analytics should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (4.0.1 > 5.0.0)

2021-06-17 14:24:41

BuiltIn

Batch

428256e6-1fac-4f48-a757-df34c2b3336d

Resource logs in Batch accounts should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (4.0.1 > 5.0.0)

2021-06-17 14:24:41

BuiltIn

Event Hub

83a214f7-d01a-484b-91a9-ed54470c9a6a

Resource logs in Event Hub should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (4.0.1 > 5.0.0)

2021-06-17 14:24:41

BuiltIn

Data Lake

057ef27e-665e-4328-8ea3-04b3122bd9fb

Resource logs in Azure Data Lake Store should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (4.0.1 > 5.0.0)

2021-06-17 14:24:41

BuiltIn

Logic Apps

34f95f76-5386-4de7-b824-0d8478470c9d

Resource logs in Logic Apps should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (4.0.1 > 5.0.0)

2021-06-17 14:24:41

BuiltIn

b4330a05-a843-4bc8-bf9a-cacce50c67f4

Resource logs in Search services should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (4.0.1 > 5.0.0)

2021-06-17 14:24:41

BuiltIn

Service Bus

f8d36e2f-389b-4ee4-898d-21aeb69a0f45

Resource logs in Service Bus should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (4.0.1 > 5.0.0)

2021-06-17 14:24:41

BuiltIn

App Service

cf820ca0-f99e-4f3e-84fb-66e913812d21

App Service apps should have resource logs enabled

Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-06-17 14:24:41

BuiltIn

Key Vault

Resource logs in Key Vault should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (4.0.1 > 5.0.0)

2021-06-17 14:24:41

BuiltIn

Stream Analytics

f9be5368-9bf5-4b84-9e0a-7850da98bb46

Resource logs in Azure Stream Analytics should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (4.0.1 > 5.0.0)

2021-06-17 14:24:41

BuiltIn

Backup

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0)

2021-06-15 14:05:41

BuiltIn

Backup

79fdfe03-ffcb-4e55-b4d0-b925b8241759

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0)

2021-06-15 14:05:41

BuiltIn

Container Registry

Configure container registries to disable local admin account.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-06-15 14:05:41

BuiltIn

Backup

dc921057-6b28-4fbe-9b83-f7bec05db6c2

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0)

2021-06-15 14:05:41

BuiltIn

Container Registry

Container registries should have local admin account disabled.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-06-15 14:05:41

BuiltIn

SQL

6134c3db-786f-471e-87bc-8f479dc890f6

Deploy Advanced Data Security on SQL servers

Fixed
DeployIfNotExists

change

Minor (1.1.0 > 1.2.0)

2021-06-08 15:17:13

BuiltIn

Security Center

7cb1b219-61c6-47e0-b80c-4472cadeeb5f

[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-06-08 15:17:13

BuiltIn

Key Vault

abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9

Azure Key Vault should have firewall enabled or public network access disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)

2021-06-08 15:17:13

BuiltIn

SQL

Azure Defender for SQL should be enabled for unprotected Azure SQL servers

Audit SQL servers without Advanced Data Security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-06-08 15:17:13

BuiltIn

SQL

abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9

Azure Defender for SQL should be enabled for unprotected SQL Managed Instances

Audit each SQL Managed Instance without advanced data security.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2021-06-08 15:17:13

BuiltIn

Security Center

e494853f-93c3-4e44-9210-d12f61a64b34

[Preview]: Configure supported virtual machines to automatically enable vTPM

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-06-08 15:17:13

BuiltIn

Security Center

95406fc3-1f69-47b0-8105-4c03b276ec5c

[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-06-08 15:17:13

BuiltIn

Kubernetes

[Deprecated]: Kubernetes cluster containers should only listen on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.1.0 > 6.1.1)

2021-06-08 15:17:13

BuiltIn

Key Vault

Key vaults should have deletion protection enabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.1.1 > 2.0.0)

2021-06-08 15:17:13

BuiltIn

Kubernetes

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (6.1.0 > 6.1.1)

2021-06-08 15:17:13

BuiltIn

Key Vault

Key vaults should have soft delete enabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.2 > 2.0.0)

2021-06-08 15:17:13

BuiltIn

Kubernetes

b08ab3ca-1062-4db3-8803-eec9cae605d6

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2021-06-02 22:44:52

BuiltIn

App Configuration

App Configuration stores should have local authentication methods disabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-06-02 22:44:52

BuiltIn

Network

b6e2945c-0b7b-40f5-9233-7a5323b5cdc6

Network Watcher should be enabled

Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-06-02 22:44:52

BuiltIn

Security Center

72bc14af-4ab8-43af-b4e4-38e7983f9a1f

[Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-06-02 22:44:52

BuiltIn

App Configuration

Configure App Configuration stores to disable local authentication methods

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-06-02 22:44:52

BuiltIn

Monitoring

[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs

Default
Modify
Allowed
Modify, Disabled

count: 003
•Managed Identity Contributor
•Managed Identity Operator
•Virtual Machine Contributor

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-06-02 22:44:52

BuiltIn

Monitoring

15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-06-02 22:44:52

BuiltIn

Security Center

Log Analytics agent should be installed on your Cloud Services (extended support) role instances

Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-06-02 22:44:52

BuiltIn

Cognitive Services

14de9e63-1b31-492e-a5a3-c3f7fd57f555

Configure Cognitive Services accounts to disable local authentication methods

Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-06-02 22:44:52

BuiltIn

Security Center

2ada9901-073c-444a-9a9a-91865174f0aa

[Preview]: Configure Azure Defender for SQL agent on virtual machine

Configure Windows machines to automatically install the Azure Defender for SQL agent where the Azure Monitor Agent is installed. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. Target virtual machines must be in a supported location.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-06-02 22:44:52

BuiltIn

Azure Ai Services

71ef260a-8f18-47b7-abcb-62d0673d94dc

Azure AI Services resources should have key access disabled (disable local authentication)

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-06-02 22:44:52

BuiltIn

Web PubSub

5b1213e4-06e4-4ccc-81de-4201f2f7131a

Configure Azure Web PubSub Service to disable public network access

Disable public network access for your Azure Web PubSub resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/awps/networkacls.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Monitoring

52630df9-ca7e-442b-853b-c6ce548b31a2

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)

2021-05-26 13:43:16

BuiltIn

Web PubSub

[Deprecated]: Azure Web PubSub Service should use private link

The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/eb907f70-7514-460d-92b3-a5ae93b4f917 instead.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

SQL

PostgreSQL servers should use customer-managed keys to encrypt data at rest

Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.3 > 1.0.4)

2021-05-26 13:43:16

BuiltIn

SQL

MySQL servers should use customer-managed keys to encrypt data at rest

Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.3 > 1.0.4)

2021-05-26 13:43:16

BuiltIn

Kubernetes

[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-05-26 13:43:16

BuiltIn

Monitoring

94c1f94d-33b0-4062-bd04-1cdc3e7eece2

Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Monitoring

Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys

Ensure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2021-05-26 13:43:16

BuiltIn

Guest Configuration

3e4e2bd5-15a2-4628-b3e1-58977e9793f3

Audit Windows machines that do not have the specified Windows PowerShell modules installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-05-26 13:43:16

BuiltIn

Security Center

b1bb3592-47b8-4150-8db0-bfdcc2c8965b

[Preview]: Linux virtual machines should use Secure Boot

To protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Web PubSub

82909236-25f3-46a6-841c-fe1020f95ae1

Azure Web PubSub Service should use a SKU that supports private link

With supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Web PubSub

1b9c0b58-fc7b-42c8-8010-cdfa1d1b8544

Configure Azure Web PubSub Service with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Monitoring

e95a8a5c-0987-421f-84ab-df4d88ebf7d1

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)

2021-05-26 13:43:16

BuiltIn

Site Recovery

[Preview]: Configure private endpoints on Azure Recovery Services vaults

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your site recovery resources of Recovery Services vaults, you can reduce data leakage risks. To use private links, managed service identity must be assigned to Recovery Services Vaults. Learn more about private links at: https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

App Service

d79ab062-dffd-4318-8344-f70de714c0bc

[Deprecated]: App Service should disable public network access

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Security Center

f6358610-e532-4236-b178-4c65865eb262

[Preview]: Virtual machines guest attestation status should be healthy

Guest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection. This assessment only applies to Trusted Launch enabled virtual machines that have Guest Attestation extension installed.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Kubernetes

bf45113f-264e-4a87-88f9-29ac8a0aca6a

[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Web PubSub

Azure Web PubSub Service should disable public network access

Disabling public network access improves security by ensuring that Azure Web PubSub service isn't exposed on the public internet. Creating private endpoints can limit exposure of Azure Web PubSub service. Learn more at: https://aka.ms/awps/networkacls.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Web PubSub

0b026355-49cb-467b-8ac4-f777874e175a

Configure Azure Web PubSub Service to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Backup

af783da1-4ad1-42be-800d-d19c70038820

[Preview]: Configure Recovery Services vaults to use private DNS zones for backup

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Monitoring

11e3da8c-1d68-4392-badd-0ff3c43ab5b0

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Site Recovery

[Preview]: Recovery Services vaults should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links for Azure Site Recovery at: https://aka.ms/HybridScenarios-PrivateLink and https://aka.ms/AzureToAzure-PrivateLink.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Site Recovery

942bd215-1a66-44be-af65-6a1c0318dbe2

[Preview]: Configure Azure Recovery Services vaults to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Recovery Services Vaults. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-26 13:43:16

BuiltIn

Media Services

e9914afe-31cd-4b8a-92fa-c887f847d477

[Deprecated]: Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-05-18 14:34:48

BuiltIn

Synapse

5c8cad01-ef30-4891-b230-652dadb4876a

Configure Azure Synapse workspaces to disable public network access

Disable public network access for your Synapse workspace so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-05-18 14:34:48

BuiltIn

Guest Configuration

3aa87b5a-7813-4b57-8a43-42dd9df5aaa7

Linux machines should only have local accounts that are allowed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-05-18 14:34:48

BuiltIn

Azure Active Directory

Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode

Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-05-18 14:34:48

BuiltIn

Media Services

daccf7e4-9808-470c-a848-1c5b582a1afb

[Deprecated]: Azure Media Services content key policies should use token authentication

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2021-05-18 14:34:48

BuiltIn

Network

ccf93279-9c91-4143-a841-8d1f21505455

Configure network security groups to enable traffic analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-18 14:34:48

BuiltIn

Media Services

[Deprecated]: Azure Media Services accounts that allow access to the legacy v2 API should be blocked

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2021-05-18 14:34:48

BuiltIn

Synapse

38d8df46-cf4e-4073-8e03-48c24b29de0d

Azure Synapse workspaces should disable public network access

Disabling public network access improves security by ensuring that the Synapse workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your Synapse workspaces. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-05-18 14:34:48

BuiltIn

Network

2f080164-9f4d-497e-9db6-416dc9f7b48a

Network Watcher flow logs should have traffic analytics enabled

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-05-18 14:34:48

BuiltIn

Monitoring

f47b5582-33ec-4c5c-87c0-b010a6b2e917

[Deprecated]: Virtual machines should be connected to a specified workspace

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Minor (1.0.1 > 1.1.0)

2021-05-18 14:34:48

BuiltIn

Media Services

a77d8bb4-8d22-4bc1-a884-f582a705b480

[Deprecated]: Azure Media Services accounts should use an API that supports Private Link

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2021-05-18 14:34:48

BuiltIn

Network

f79fef0d-0050-4c18-a303-5babb9c14ac7

Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-18 14:34:48

BuiltIn

Guest Configuration

Windows machines should only have local accounts that are allowed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-05-18 14:34:48

BuiltIn

Monitoring

1bc02227-0cb6-4e11-8f53-eb0b22eab7e8

Application Insights components should block log ingestion and querying from public networks

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-05-11 14:06:18

BuiltIn

Compute

bc05b96c-0b36-4ca9-82f0-5c53f96ce05a

Configure disk access resources to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-11 14:06:18

BuiltIn

Monitoring

41388f1c-2db0-4c25-95b2-35d7f5ccbfa9

Azure Monitor should collect activity logs from all regions

This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-05-11 14:06:18

BuiltIn

SQL

Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-11 14:06:18

BuiltIn

SQL

Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-11 14:06:18

BuiltIn

Machine Learning

Configure Azure Machine Learning Computes to disable local authentication methods

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-05-11 14:06:18

BuiltIn

Guest Configuration

Windows machines should be configured to use secure communication protocols

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2021-05-11 14:06:18

BuiltIn

Machine Learning

Azure Machine Learning Computes should have local authentication methods disabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-05-11 14:06:18

BuiltIn

Kubernetes

044985bb-afe1-42cd-8a36-9d5d42424537

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (6.0.0 > 7.0.0)

2021-05-11 14:06:18

BuiltIn

Storage

Storage account keys should not be expired

Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-05-11 14:06:18

BuiltIn

SQL

9a7c7a7d-49e5-4213-bea8-6a502b6272e0

Deploy Diagnostic Settings for Azure SQL Database to Event Hub

Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated.

Fixed
DeployIfNotExists

change

Minor (1.1.0 > 1.2.0)

2021-05-11 14:06:18

BuiltIn

Guest Configuration

6c53d030-cc64-46f0-906d-2bc061cd1334

Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs

Fixed
deployIfNotExists

change

Patch (1.0.0 > 1.0.1)

2021-05-11 14:06:18

BuiltIn

Monitoring

Log Analytics workspaces should block log ingestion and querying from public networks

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-05-11 14:06:18

BuiltIn

Guest Configuration

Linux machines should meet requirements for the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)

2021-05-11 14:06:18

BuiltIn

Guest Configuration

Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

Fixed
deployIfNotExists

change

Patch (1.0.0 > 1.0.1)

2021-05-11 14:06:18

BuiltIn

Guest Configuration

Windows machines should meet requirements of the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2021-05-11 14:06:18

BuiltIn

Data Factory

SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2021-05-11 14:06:18

BuiltIn

SQL

Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-11 14:06:18

BuiltIn

Security Center

1c30f9cd-b84c-49cc-aa2c-9288447cc3b3

[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Security Center

[Preview]: vTPM should be enabled on supported virtual machines

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Security Center

1cb4d9c2-f88f-4069-bee0-dba239a57b09

[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Security Center

[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Monitoring

[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs

Default
Modify
Allowed
Modify, Disabled

count: 003
•Managed Identity Contributor
•Managed Identity Operator
•Virtual Machine Contributor

change

Major, suffix remains equal (1.2.0-preview > 2.0.0-preview)

2021-05-04 14:34:06

BuiltIn

Security Center

[Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-05-04 14:34:06

BuiltIn

Security Center

97566dd7-78ae-4997-8b36-1c7bfe0d8121

[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Security Center

[Preview]: Secure Boot should be enabled on supported Windows virtual machines

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Bot Service

52152f42-0dda-40d9-976e-abb1acdd611e

Bot Service should have isolated mode enabled

Bots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Security Center

[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Security Center

Configure machines to receive a vulnerability assessment provider

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2021-05-04 14:34:06

BuiltIn

App Service

b5ec538c-daa0-4006-8596-35468b9148e8

App Service apps that use PHP should use a specified 'PHP version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2021-05-04 14:34:06

BuiltIn

Storage

Storage account encryption scopes should use customer-managed keys to encrypt data at rest

Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Security Center

[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

App Service

5a913c68-0590-402c-a531-e57e19379da3

[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2021-05-04 14:34:06

BuiltIn

Security Center

[Deprecated]: Operating system version should be the most current version for your cloud service roles

Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2021-05-04 14:34:06

BuiltIn

App Service

d6545c6b-dd9d-4265-91e6-0b451e2f1c50

App Service Environment should have TLS 1.0 and 1.1 disabled

TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2021-05-04 14:34:06

BuiltIn

Security Center

e9914afe-31cd-4b8a-92fa-c887f847d477

[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Media Services

[Deprecated]: Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns

This policy is deprecated because Media Services retirement. Learn more about policy definition deprecation at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
Deny, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

Security Center

33228571-70a4-4fa1-8ca1-26d0aba8d6ef

[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-05-04 14:34:06

BuiltIn

App Service

[Deprecated]: App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network

By default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-04-27 15:38:15

BuiltIn

Monitoring

a0c11ca4-5828-4384-a2f2-fd7444dd5b4d

Configure Log Analytics extension on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.1.0-preview > 1.2.0)

2021-04-27 15:38:15

BuiltIn

Security Center

Cloud Services (extended support) role instances should be configured securely

Protect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-04-27 15:38:15

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.2.0 > 1.2.1)

2021-04-27 15:38:15

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-04-27 15:38:15

BuiltIn

Backup

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-04-27 15:38:15

BuiltIn

Monitoring

6134c3db-786f-471e-87bc-8f479dc890f6

Configure Dependency agent on Azure Arc enabled Linux servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.1.0-preview > 1.2.0)

2021-04-27 15:38:15

BuiltIn

SQL

Deploy Advanced Data Security on SQL servers

Fixed
DeployIfNotExists

change

Minor (1.0.0 > 1.1.0)

2021-04-27 15:38:15

BuiltIn

SQL

b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13

SQL Database should avoid using GRS backup redundancy

Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL.

Default
Deny
Allowed
Deny, Disabled

change

Major (1.0.1 > 2.0.0)

2021-04-27 15:38:15

BuiltIn

App Service

fb74e86f-d351-4b8d-b034-93da7391c01f

App Service Environment should have internal encryption enabled

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-04-27 15:38:15

BuiltIn

Monitoring

d6545c6b-dd9d-4265-91e6-0b451e2f1c50

Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.1.0-preview > 1.2.0)

2021-04-27 15:38:15

BuiltIn

App Service

App Service Environment should have TLS 1.0 and 1.1 disabled

TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-04-27 15:38:15

BuiltIn

Backup

15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-04-27 15:38:15

BuiltIn

Security Center

Log Analytics agent should be installed on your Cloud Services (extended support) role instances

Security Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-04-27 15:38:15

BuiltIn

Security Center

1e378679-f122-4a96-a739-a7729c46e1aa

[Deprecated]: Cloud Services (extended support) role instances should have an endpoint protection solution installed

Protect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-04-27 15:38:15

BuiltIn

SQL

7ea8a143-05e3-4553-abfe-f56bef8b0b70

Configure Azure SQL database servers diagnostic settings to Log Analytics workspace

Enables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2021-04-27 15:38:15

BuiltIn

Backup

4df26ba8-026d-45b0-9521-bffa44d741d2

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (2.0.0 > 3.0.0)

2021-04-27 15:38:15

BuiltIn

Security Center

Cloud Services (extended support) role instances should have system updates installed

Secure your Cloud Services (extended support) role instances by ensuring the latest security and critical updates are installed on them.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-04-27 15:38:15

BuiltIn

Monitoring

2465583e-4e78-4c15-b6be-a36cbc7c8b0f

Configure Azure Activity logs to stream to specified Log Analytics workspace

Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-04-27 15:38:15

BuiltIn

Automanage

11566b39-f7f7-4b82-ab06-68d8700eb0a4

[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (4.0.0 > 4.1.0)

2021-04-27 15:38:15

BuiltIn

Cognitive Services

[Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption.

This policy is deprecated. Cognitive Services have data encryption enforced.

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Major, new suffix: deprecated (1.0.0 > 2.0.0-deprecated)

2021-04-21 13:28:46

BuiltIn

Cognitive Services

c4bc6f10-cb41-49eb-b000-d5ab82e2a091

Configure Cognitive Services accounts to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-04-21 13:28:46

BuiltIn

Key Vault

9d4fad1f-5189-4a42-b29e-cf7929c6b6df

Configure Azure Key Vaults with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-04-21 13:28:46

BuiltIn

Key Vault

ac673a9a-f77d-4846-b2d8-a57f8e1c01dc

Configure key vaults to enable firewall

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-04-21 13:28:46

BuiltIn

Key Vault

013e242c-8828-4970-87b3-ab247555486d

Azure Key Vault should have firewall enabled or public network access disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.2-preview > 1.1.0-preview)

2021-04-21 13:28:46

BuiltIn

Backup

Azure Backup should be enabled for Virtual Machines

Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2021-04-21 13:28:46

BuiltIn

Key Vault

a6abeaec-4d90-4a02-805f-6b26c4d3fbe9

Azure Key Vaults should use private link

Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-04-21 13:28:46

BuiltIn

Cognitive Services

2bdd0062-9d75-436e-89df-487dd8e4b3c7

[Deprecated]: Cognitive Services accounts should enable data encryption

This policy is deprecated. Cognitive Services have data encryption enforced.

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Major, new suffix: deprecated (1.0.0 > 2.0.0-deprecated)

2021-04-21 13:28:46

BuiltIn

Key Vault

ac673a9a-f77d-4846-b2d8-a57f8e1c01d4

Configure Azure Key Vaults to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-04-21 13:28:46

BuiltIn

Cognitive Services

3aa87b5a-7813-4b57-8a43-42dd9df5aaa7

Configure Cognitive Services accounts with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-04-21 13:28:46

BuiltIn

Azure Active Directory

Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-04-21 13:28:46

BuiltIn

Cognitive Services

[Deprecated]: Cognitive Services should use private link

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-04-21 13:28:46

BuiltIn

Guest Configuration

2e94d99a-8a36-4563-bc77-810d8893b671

Windows machines should be configured to use secure communication protocols

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.0 > 2.1.0)

2021-04-21 13:28:46

BuiltIn

Backup

[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data

Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-04-21 13:28:46

BuiltIn

Automanage

8b0323be-cc25-4b61-935d-002c3798c6ea

[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2021-04-13 13:28:43

BuiltIn

Data Factory

Azure Data Factory should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-04-13 13:28:43

BuiltIn

Compute

582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5

Configure disk access resources with private endpoints

Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-04-07 13:27:17

BuiltIn

Data Factory

496ca26b-f669-4322-a1ad-06b7b5e41882

Configure private endpoints for Data factories

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-04-07 13:27:17

BuiltIn

Backup

8426280e-b5be-43d9-979e-653d12a08638

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-04-07 13:27:17

BuiltIn

Compute

Configure managed disks to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-04-07 13:27:17

BuiltIn

Compute

8405fdab-1faf-48aa-b702-999c9c172094

Managed disks should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-04-07 13:27:17

BuiltIn

Backup

f39f5f49-4abf-44de-8c70-0756997bfb51

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-04-07 13:27:17

BuiltIn

Compute

Disk access resources should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-04-07 13:27:17

BuiltIn

Machine Learning

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2021-04-07 13:27:17

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-04-07 13:27:17

BuiltIn

Machine Learning

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2021-04-07 13:27:17

BuiltIn

Backup

08b1442b-7789-4130-8506-4f99a97226a7

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Major (1.1.0 > 2.0.0)

2021-04-07 13:27:17

BuiltIn

Data Factory

Configure Data Factories to disable public network access

Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-04-07 13:27:17

BuiltIn

Machine Learning

86cd96e1-1745-420d-94d4-d3f2fe415aa4

[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2021-04-07 13:27:17

BuiltIn

Data Factory

Configure private DNS zones for private endpoints that connect to Azure Data Factory

Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-04-07 13:27:17

BuiltIn

Machine Learning

[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes

Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-31 14:35:06

BuiltIn

Machine Learning

ef45854f-b33f-49a3-8041-9057e915d88f

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (1.0.1-preview > 2.0.0-preview)

2021-03-31 14:35:06

BuiltIn

SignalR

Configure private endpoints to Azure SignalR Service

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure SignalR Service resources, you can reduce data leakage risks. Learn more at https://aka.ms/asrs/privatelink.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-31 14:35:06

BuiltIn

Machine Learning

[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-31 14:35:06

BuiltIn

SQL

752154a7-1e0f-45c6-a880-ac75a7e4f648

Configure SQL servers to have auditing enabled

To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2021-03-31 14:35:06

BuiltIn

Monitoring

Public IP addresses should have resource logs enabled for Azure DDoS Protection

Default
AuditIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2021-03-31 14:35:06

BuiltIn

b698b005-b660-4837-b833-a7aaab26ddba

Configure Azure AI Search services with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-31 14:35:06

BuiltIn

Machine Learning

0fda3595-9f2b-4592-8675-4231d6fa82fe

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-31 14:35:06

BuiltIn

[Deprecated]: Azure AI Search services should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AI Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-03-31 14:35:06

BuiltIn

VM Image Builder

2154edb9-244f-4741-9970-660785bccdaa

VM Image Builder templates should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Minor (1.0.1 > 1.1.0)

2021-03-31 14:35:06

BuiltIn

Synapse

ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee

Configure Synapse workspaces to have auditing enabled

To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-03-31 14:35:06

BuiltIn

Network

94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d

Virtual networks should be protected by Azure DDoS Protection

Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection. For more information, visit https://aka.ms/ddosprotectiondocs.

Default
Modify
Allowed
Modify, Audit, Disabled

add

new Policy

2021-03-31 14:35:06

BuiltIn

Machine Learning

480d0f91-30af-4a76-9afb-f5710ac52b09

[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-31 14:35:06

BuiltIn

Guest Configuration

Private endpoints for Guest Configuration assignments should be enabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-31 14:35:06

BuiltIn

Machine Learning

[Preview]: Configure allowed registries for specified Azure Machine Learning computes

Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-31 14:35:06

BuiltIn

Compute

970f84d8-71b6-4091-9979-ace7e3fb6dbb

Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.2.0)

2021-03-24 14:32:48

BuiltIn

Storage

HPC Cache accounts should use customer-managed key for encryption

Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Major (1.0.0 > 2.0.0)

2021-03-24 14:32:48

BuiltIn

Cognitive Services

46aa9b05-0e60-4eae-a88b-1e9d374fa515

Cognitive Services accounts should use customer owned storage

Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2021-03-24 14:32:48

BuiltIn

Storage

[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.1.0 > 1.3.0)

2021-03-24 14:32:48

BuiltIn

Machine Learning

529ea018-6afc-4ed4-95bd-7c9ee47b00bc

[Deprecated]: Azure Machine Learning workspaces should use private link

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-03-24 14:32:48

BuiltIn

Synapse

Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher

For incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-03-24 14:32:48

BuiltIn

Kubernetes

[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-24 14:32:48

BuiltIn

SQL

7590a335-57cf-4c95-babd-ecbc8fafeb1f

SQL servers with auditing to storage account destination should be configured with 90 days retention or higher

For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.1.0 > 3.0.0)

2021-03-24 14:32:48

BuiltIn

Migrate

Configure Azure Migrate resources to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-16 16:49:20

BuiltIn

Container Registry

0fdf0491-d080-4575-b627-ad0e843cba0f

Public network access should be disabled for Container registries

Disabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-16 16:49:20

BuiltIn

Kubernetes

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, old suffix: preview (2.0.0-preview > 3.0.0)

2021-03-16 16:49:20

BuiltIn

Compute

Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-03-16 16:49:20

BuiltIn

Monitoring

7838fd83-5cbb-4b5d-888c-bfa240972597

Configure Dependency agent on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor, old suffix: preview (1.1.0-preview > 1.2.0)

2021-03-16 16:49:20

BuiltIn

Machine Learning

Configure Azure Machine Learning workspaces with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-16 16:49:20

BuiltIn

Machine Learning

ee40564d-486e-4f68-a5ca-7a621edae0fb

[Deprecated]: Azure Machine Learning workspaces should use private link

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.0)

2021-03-16 16:49:20

BuiltIn

Machine Learning

Configure Azure Machine Learning workspace to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-16 16:49:20

BuiltIn

Container Registry

a3701552-92ea-433e-9d17-33b7f1208fc9

Configure Container registries to disable public network access

Disable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-16 16:49:20

BuiltIn

Container Registry

e9585a95-5b8c-4d03-b193-dc7eb5ac4c32

Configure Container registries to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-16 16:49:20

BuiltIn

Container Registry

d85c6833-7d33-4cf5-a915-aaa2de84405f

Configure Container registries with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-16 16:49:20

BuiltIn

Container Registry

bd560fc0-3c69-498a-ae9f-aa8eb7de0e13

Container registries should have SKUs that support Private Links

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-16 16:49:20

BuiltIn

Container Registry

Container registries should not allow unrestricted network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.1 > 1.1.0)

2021-03-16 16:49:20

BuiltIn

Security Center

1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5

Configure machines to receive a vulnerability assessment provider

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-10 14:52:46

BuiltIn

Logic Apps

Logic Apps Integration Service Environment should be encrypted with customer-managed keys

Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

fbc14a67-53e4-4932-abcc-2049c6706009

Configure Azure AI Search services to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Security Center

c3d20c29-b36d-48fe-808b-99a87530ad99

Azure Defender for Resource Manager should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Cognitive Services

b609e813-3156-4079-91fa-a8494c1471c4

Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.3 > 2.0.0)

2021-03-09 14:37:41

BuiltIn

Cosmos DB

Configure CosmosDB accounts with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Internet of Things

d82101f3-f3ce-4fc5-8708-4c09f4009546

IoT Hub device provisioning service instances should disable public network access

Disabling public network access improves security by ensuring that IoT Hub device provisioning service instance isn't exposed on the public internet. Creating private endpoints can limit exposure of the IoT Hub device provisioning instances. Learn more at: https://aka.ms/iotdpsvnet.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Service Bus

f0fcf93c-c063-4071-9668-c47474bd3564

Configure Service Bus namespaces to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Service Bus namespaces. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Cosmos DB

da69ba51-aaf1-41e5-8651-607cd0b37088

Configure CosmosDB accounts to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

a049bf77-880b-470f-ba6d-9f21c530cf83

Azure AI Search service should use a SKU that supports private link

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Kubernetes

30b3dfa5-a70d-4c8e-bed6-0083858f663d

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.0 > 6.1.0)

2021-03-09 14:37:41

BuiltIn

Cache

Configure Azure Cache for Redis to disable public network access

Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Service Bus

7d890f7f-100c-473d-baa1-2777e2266535

Configure Service Bus namespaces with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Service Bus namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Event Hub

91678b7c-d721-4fc5-b179-3cdf74e96b1c

Configure Event Hub namespaces with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

SQL

c251913d-7d24-4958-af87-478ed3b9ba41

Configure SQL servers to have auditing enabled

To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-03-09 14:37:41

BuiltIn

Network

Flow logs should be configured for every network security group

Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.

Default
Audit
Allowed
Audit, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-03-09 14:37:41

BuiltIn

Cache

7803067c-7d34-46e3-8c79-0ca68fc4036d

Azure Cache for Redis should use private link

Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Cognitive Services

fe3fd216-4f83-4fc1-8984-2bbec80a3418

Cognitive Services accounts should use a managed identity

Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Event Hub

ed66d4f5-8220-45dc-ab4a-20d1749c74e6

Configure Event Hub namespaces to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Container Instance

0aa61e00-0a01-4a3c-9945-e93cffedf0e6

Azure Container Instance container group should use customer-managed key for encryption

Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2021-03-09 14:37:41

BuiltIn

API Management

73ef9241-5d81-4cd4-b483-8443d1730fe5

API Management service should use a SKU that supports virtual networks

With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

ee980b6d-0eca-4501-8d54-f6290fd512c3

Azure AI Search services should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Internet of Things

aaa64d2d-2fa3-45e5-b332-0b031b9b30e8

Configure IoT Hub device provisioning instances to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Kubernetes

a6f560f4-f582-4b67-b123-a37dcd1bf7ea

Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets

Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Network

27960feb-a23c-4577-8d36-ef8b5f35e0be

All flow log resources should be in enabled state

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Service Bus

1c06e275-d63d-4540-b761-71f364c2111d

Azure Service Bus namespaces should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Kubernetes

040732e8-d947-40b8-95d6-854c95024bf8

Azure Kubernetes Service Private Clusters should be enabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

SignalR

62a3ae95-8169-403e-a2d2-b82141448092

Modify Azure SignalR Service resources to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Security Center

Configure machines to receive a vulnerability assessment provider

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Cognitive Services

72d11df1-dd8a-41f7-8925-b05b960ebafc

[Deprecated]: Cognitive Services accounts should disable public network access

Default
Disabled
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-03-09 14:37:41

BuiltIn

Synapse

Azure Synapse workspaces should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-03-09 14:37:41

BuiltIn

SignalR

21a9766a-82a5-4747-abb5-650b6dbba6d0

Azure SignalR Service should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Data Factory

797b37f7-06b8-444c-b1ad-fc62867f335a

SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Cosmos DB

Azure Cosmos DB should disable public network access

Disabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Storage

58440f8a-10c5-4151-bdce-dfbaad4a20b7

[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-03-09 14:37:41

BuiltIn

Cosmos DB

CosmosDB accounts should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Synapse

ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee

Configure Synapse workspaces to have auditing enabled

To ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Cognitive Services

47ba1dd7-28d9-4b07-a8d5-9813bed64e0c

Configure Cognitive Services accounts to disable public network access

Default
Modify
Allowed
Disabled, Modify

add

new Policy

2021-03-09 14:37:41

BuiltIn

Event Hub

b8564268-eb4a-4337-89be-a19db070c59d

Event Hub namespaces should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Kubernetes

e016b22b-e0eb-436d-8fd7-160c4eaed6e2

[Deprecated]: Kubernetes cluster containers should only listen on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.0 > 6.1.0)

2021-03-09 14:37:41

BuiltIn

Cache

Configure Azure Cache for Redis to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Container Instance

8af8f826-edcb-4178-b35f-851ea6fea615

Azure Container Instance container group should deploy into a virtual network

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2021-03-09 14:37:41

BuiltIn

Storage

970f84d8-71b6-4091-9979-ace7e3fb6dbb

HPC Cache accounts should use customer-managed key for encryption

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2021-03-09 14:37:41

BuiltIn

Compute

702dd420-7fcc-42c5-afe8-4026edd20fe0

OS and data disks should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2021-03-09 14:37:41

BuiltIn

Compute

d461a302-a187-421a-89ac-84acdb4edc04

Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption

Requiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2021-03-09 14:37:41

BuiltIn

Synapse

3b3b0c27-08d2-4b32-879d-19930bee3266

Configure Azure Synapse workspaces with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Synapse workspaces, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Automation

6dd01e4f-1be1-4e80-9d0b-d109e04cb064

Configure Azure Automation accounts with private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

SQL

955a914f-bf86-4f0e-acd5-e0766b0efcb6

SQL servers with auditing to storage account destination should be configured with 90 days retention or higher

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor (2.0.1 > 2.1.0)

2021-03-09 14:37:41

BuiltIn

Automation

Automation accounts should disable public network access

Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

9cee519f-d9c1-4fd9-9f79-24ec3449ed30

Configure Azure AI Search services to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Backup

deeddb44-9f94-4903-9fa0-081d524406e3

[Preview]: Azure Recovery Services vaults should use private link for backup

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

SignalR

464a1620-21b5-448d-8ce6-d4ac6d1bc49a

Azure SignalR Service should use a Private Link enabled SKU

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination which protect your resources against public data leakage risks. The policy limits you to Private Link enabled SKUs for Azure SignalR Service. Learn more about private link at: https://aka.ms/asrs/privatelink.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Logic Apps

dc595cb1-1cde-45f6-8faf-f88874e1c0e1

Logic Apps should be deployed into Integration Service Environment

Deploying Logic Apps into Integration Service Environment in a virtual network unlocks advanced Logic Apps networking and security features and provides you with greater control over your network configuration. Learn more at: https://aka.ms/integration-service-environment. Deploying into Integration Service Environment also allows encryption with customer-managed keys which provides enhanced data protection by allowing you to manage your encryption keys. This is often to meet compliance requirements.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Security Center

bdc59948-5574-49b3-bb91-76b7c986428d

[Deprecated]: Azure Defender for DNS should be enabled

This policy definition is no longer the recommended way to achieve its intent, because DNS bundle is being deprecated. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 4da35fc9-c9e7-4960-aec9-797fe7d9051d. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Synapse

2b18f286-371e-4b80-9887-04759970c0d3

Synapse workspace auditing settings should have action groups configured to capture critical activities

To ensure your audit logs are as thorough as possible, the AuditActionsAndGroups property should include all the relevant groups. We recommend adding at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, and BATCH_COMPLETED_GROUP. This is sometimes required for compliance with regulatory standards.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Storage

9f766f00-8d11-464e-80e1-4091d7874074

Configure Storage account to use a private link connection

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your storage account, you can reduce data leakage risks. Learn more about private links at - https://aka.ms/azureprivatelinkoverview

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Kubernetes

2d7e144b-159c-44fc-95c1-ac3dbf5e6e54

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor (6.0.0 > 6.1.0)

2021-03-09 14:37:41

BuiltIn

Internet of Things

[Preview]: Azure IoT Hub should use customer-managed key to encrypt data at rest

Encryption of data at rest in IoT Hub with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Customer-managed keys must be configured during creation of IoT Hub. For more information on how to configure customer-managed keys, see https://aka.ms/iotcmk.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Cache

470baccb-7e51-4549-8b1a-3e5be069f663

Azure Cache for Redis should disable public network access

Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Cosmos DB

a63cc0bd-cda4-4178-b705-37dc439d3e0f

Configure CosmosDB accounts to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Storage

6edd7eda-6dd8-40f7-810d-67160c639cd9

Storage accounts should use private link

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-03-09 14:37:41

BuiltIn

Synapse

e04e5000-cd89-451d-bb21-a14d24ff9c73

Auditing on Synapse workspace should be enabled

Auditing on your Synapse workspace should be enabled to track database activities across all databases on the dedicated SQL pools and save them in an audit log.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Synapse

1e5ed725-f16c-478b-bd4b-7bfa2f7940b9

Configure Azure Synapse workspaces to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Internet of Things

859dfc91-ea35-43a6-8256-31271c363794

Configure IoT Hub device provisioning service instances to disable public network access

Disable public network access for your IoT Hub device provisioning instance so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/iotdpsvnet.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Internet of Things

df39c015-56a4-45de-b4a3-efe77bed320d

IoT Hub device provisioning service instances should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Kubernetes

1d61c4d2-aef2-432b-87fc-7f96b019b7e1

Configure Kubernetes clusters with specified GitOps configuration using no secrets

Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)

2021-03-09 14:37:41

BuiltIn

Synapse

529ea018-6afc-4ed4-95bd-7c9ee47b00bc

Synapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higher

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Storage

7433c107-6db4-4ad1-b57a-a76dce0154a1

Storage accounts should be limited by allowed SKUs

Restrict the set of storage account SKUs that your organization can deploy.

Default
Deny
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2021-03-09 14:37:41

BuiltIn

SignalR

b0e86710-7fb7-4a6c-a064-32e9b829509e

Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SignalR Service resource. Learn more at: https://aka.ms/asrs/privatelink.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Internet of Things

9b75ea5b-c796-4c99-aaaf-21c204daac43

Configure IoT Hub device provisioning service instances with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to IoT Hub device provisioning service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/iotdpsvnet.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Security Center

86b3d65f-7626-441e-b690-81a8b71cff60

[Deprecated]: System updates should be installed on your machines

Missing security system updates on your servers will be monitored by Azure Security Center as recommendations

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2021-03-09 14:37:41

BuiltIn

Kubernetes

c050047b-b21b-4822-8a2d-c1e37c3c0c6a

Configure Kubernetes clusters with specified GitOps configuration using SSH secrets

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Automation

c0c3130e-7dda-4187-aed0-ee4a472eaa60

Configure private endpoint connections on Azure Automation accounts

Private endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-09 14:37:41

BuiltIn

Monitoring

32133ab0-ee4b-4b44-98d6-042180979d50

[Deprecated]: Log Analytics Extension should be enabled for listed virtual machine images

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-02 15:11:40

BuiltIn

Kubernetes

11ac78e3-31bc-4f0c-8434-37ab963cea07

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.1 > 6.0.0)

2021-03-02 15:11:40

BuiltIn

Monitoring

Dependency agent should be enabled for listed virtual machine images

Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2021-03-02 15:11:40

BuiltIn

Kubernetes

b35dddd9-daf7-423b-8375-5a5b86806d5a

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

Storage

Configure Azure File Sync with private endpoints

A private endpoint is deployed for the indicated Storage Sync Service resource. This enables you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. The existence of one or more private endpoints by themselves does not disable the public endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

0e07b2e9-6cd9-4c40-9ccb-52817b95133b

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.1 > 6.0.0)

2021-03-02 15:11:40

BuiltIn

Storage

Modify - Configure Azure File Sync to disable public network access

The Azure File Sync's internet-accessible public endpoint are disabled by your organizational policy. You may still access the Storage Sync Service via its private endpoint(s).

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

Kubernetes

7a860e27-9ca2-4fc6-822d-c2d248c300df

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-02 15:11:40

BuiltIn

App Configuration

Configure private DNS zones for private endpoints connected to App Configuration

Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

App Service

dcbc65aa-59f3-4239-8978-3bb869d82604

App Service apps should use an Azure file share for its content directory

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Automanage

[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.0.0 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

Kubernetes

0ef5aac7-c064-427a-b87b-d47b3ddcaf73

[Deprecated]: Kubernetes cluster containers should only listen on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.1 > 6.0.0)

2021-03-02 15:11:40

BuiltIn

Batch

Configure Batch accounts with private endpoints

Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Monitoring

ca91455f-eace-4f96-be59-e6e2c35b4816

[Deprecated]: Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2021-03-02 15:11:40

BuiltIn

Compute

Managed disks should be double encrypted with both platform-managed and customer-managed keys

High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.1 > 4.0.0)

2021-03-02 15:11:40

BuiltIn

App Service

614ffa75-862c-456e-ad8b-eaa1b0844b07

Function apps that use Python should use a specified 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

App Configuration

Configure private endpoints for App Configuration

Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Event Grid

6fcec95c-fbdf-45e8-91e1-e3175d9c9eca

Deploy - Configure Azure Event Grid topics with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Monitoring

e2dd799a-a932-4e9d-ac17-d473bc3c6c10

Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images

Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2021-03-02 15:11:40

BuiltIn

General

6c112d4e-5bc7-47ae-a041-ea2d9dccd749

Not allowed resource types

Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources.

Default
Deny
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2021-03-02 15:11:40

BuiltIn

Storage

21a8cd35-125e-4d13-b82d-2e19b7208bb7

Public network access should be disabled for Azure File Sync

Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Automation

23b36a7c-9d26-4288-a8fd-c1d2fa284d8c

Configure Azure Automation accounts to disable public network access

Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Storage

06695360-db88-47f6-b976-7500d4297475

Configure Azure File Sync to use private DNS zones

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

702dd420-7fcc-42c5-afe8-4026edd20fe0

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-02 15:11:40

BuiltIn

Compute

OS and data disks should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Synapse

3484ce98-c0c5-4c83-994b-c5ac24785218

Azure Synapse workspaces should allow outbound data traffic only to approved targets

Increase security of your Synapse workspace by allowing outbound data traffic only to approved targets. This helps prevention against data exfiltration by validating the target before sending data.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

bf684997-3909-404e-929c-d4a38ed23b2e

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-02 15:11:40

BuiltIn

Internet of Things

Deploy - Configure Azure IoT Hubs with private endpoints

A private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

4d0bc837-6eff-477e-9ecd-33bf8d4212a5

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

App Service

Function apps should use an Azure file share for its content directory

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

b0ab5b05-1c98-40f7-bb9e-dc568e41b501

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

HDInsight

Azure HDInsight clusters should be injected into a virtual network

Injecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

8e8ca470-d980-4831-99e6-dc70d9f6af87

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

SQL

Configure Azure SQL Server to enable private endpoint connections

A private endpoint connection enables private connectivity to your Azure SQL Database via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Monitoring

fc4d8e41-e223-45ea-9bf5-eada37891d87

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2021-03-02 15:11:40

BuiltIn

Compute

Virtual machines and virtual machine scale sets should have encryption at host enabled

Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

d461a302-a187-421a-89ac-84acdb4edc04

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.1 > 6.0.0)

2021-03-02 15:11:40

BuiltIn

Compute

Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Internet of Things

47031206-ce96-41f8-861b-6a915f3de284

[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)

Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.1 > 4.0.0)

2021-03-02 15:11:40

BuiltIn

Kubernetes

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

Kubernetes

0d40b058-9f95-4a19-93e3-9b0330baa2a3

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

Internet of Things

Private endpoint should be enabled for IoT Hub

Private endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-02 15:11:40

BuiltIn

Internet of Things

Deploy - Configure Azure IoT Hubs to use private DNS zones

Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, disabled, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

SQL

28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b

Configure Azure SQL Server to disable public network access

Disabling the public network access property shuts down public connectivity such that Azure SQL Server can only be accessed from a private endpoint. This configuration disables the public network access for all databases under the Azure SQL Server.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Internet of Things

2d6830fb-07eb-48e7-8c4d-2a442b35f0fb

Public network access on Azure IoT Hub should be disabled

Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Internet of Things

114eec6e-5e59-4bad-999d-6eceeb39d582

Modify - Configure Azure IoT Hubs to disable public network access

Disabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

0c2b3618-68a8-4034-a150-ff4abc873462

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.1 > 6.0.0)

2021-03-02 15:11:40

BuiltIn

Automation

Private endpoint connections on Automation Accounts should be enabled

Private endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

324c7761-08db-4474-9661-d1039abc92ee

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

App Service

[Deprecated]: API apps should use an Azure file share for its content directory

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Event Grid

36f4658a-848a-467b-881c-e6fa20cf75fc

Deploy - Configure Azure Event Grid domains with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

App Configuration

73290fa2-dfa7-4bbb-945d-a5e23b75df2c

Configure App Configuration to disable public network access

Disable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.1 > 6.0.0)

2021-03-02 15:11:40

BuiltIn

Monitoring

Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.3.0 > 2.0.0)

2021-03-02 15:11:40

BuiltIn

App Service

[Deprecated]: API apps that use Python should use the latest 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

App Service

App Service apps that use Python should use a specified 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

Kubernetes

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.1 > 6.0.0)

2021-03-02 15:11:40

BuiltIn

Kubernetes

1d320205-c6a1-4ac6-873d-46224024e8e2

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (5.0.2 > 6.0.0)

2021-03-02 15:11:40

BuiltIn

Storage

Azure File Sync should use private link

Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.0)

2021-03-02 15:11:40

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (3.0.1 > 4.0.0)

2021-03-02 15:11:40

BuiltIn

Monitoring

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2021-03-02 15:11:40

BuiltIn

Monitoring

[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs

Default
Modify
Allowed
Modify, Disabled

count: 003
•Managed Identity Contributor
•Managed Identity Operator
•Virtual Machine Contributor

change

Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)

2021-03-02 15:11:40

BuiltIn

Monitoring

5f0c7d88-c7de-45b8-ac49-db49e72eaa78

Deploy - Configure Dependency agent to be enabled on Windows virtual machines

Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Major (1.3.0 > 2.0.0)

2021-03-02 15:11:40

BuiltIn

Machine Learning

Azure Machine Learning workspaces should use user-assigned managed identity

Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-03-02 15:11:40

BuiltIn

Kubernetes

3d9f5e4c-9947-4579-9539-2a7695fbc187

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)

2021-03-02 15:11:40

BuiltIn

App Configuration

App Configuration should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-23 16:24:42

BuiltIn

Network

b6e2945c-0b7b-40f5-9233-7a5323b5cdc6

Network Watcher should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2021-02-23 16:24:42

BuiltIn

App Configuration

89c8a434-18f0-402c-8147-630a8dea54e0

App Configuration should use a SKU that supports private link

When using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-23 16:24:42

BuiltIn

Batch

009a0c92-f5b4-4776-9b66-4ed2b4775563

Private endpoint connections on Batch accounts should be enabled

Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-02-23 16:24:42

BuiltIn

Key Vault

951af2fa-529b-416e-ab6e-066fd85ac459

Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace

Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-02-23 16:24:42

BuiltIn

Batch

4ec38ebc-381f-45ee-81a4-acbc4be878f8

Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts

Private DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-02-23 16:24:42

BuiltIn

Storage

[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-02-23 16:24:42

BuiltIn

Monitoring

6c66c325-74c8-42fd-a286-a74b0e2939d8

[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs

Default
Modify
Allowed
Modify, Disabled

count: 003
•Managed Identity Contributor
•Managed Identity Operator
•Virtual Machine Contributor

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2021-02-23 16:24:42

BuiltIn

Kubernetes

Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace

Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-02-23 16:24:42

BuiltIn

36f4658a-848a-467b-881c-e6fa20cf75fc

n/a

remove

36f4658a-848a-467b-881c-e6fa20cf75fc

2021-02-22 14:29:52 (i)

BuiltIn

6fcec95c-fbdf-45e8-91e1-e3175d9c9eca

n/a

remove

6fcec95c-fbdf-45e8-91e1-e3175d9c9eca

2021-02-22 14:29:52 (i)

BuiltIn

Security Center

0b15565f-aa9e-48ba-8619-45960f2c314d

Email notification to subscription owner for high severity alerts should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2021-02-17 14:28:42

BuiltIn

Event Grid

baf19753-7502-405f-8745-370519b20483

Deploy - Configure Azure Event Grid topics to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Key Vault

a6d2c800-5230-4a40-bff3-8268b4987d42

Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM

Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Monitoring

fa298e57-9444-42ba-bf04-86e8470e32c7

Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Event Grid

f8f774be-6aee-492a-9e29-486ef81f3a68

Azure Event Grid domains should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Monitoring

b3884c81-31aa-473d-a9bb-9466fe0ec2a0

Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM

Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Log Analytics workspace when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Monitoring

1f68a601-6e6d-4e42-babf-3f643a047ea2

Azure Monitor Logs clusters should be encrypted with customer-managed key

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Event Grid

9830b652-8523-49cc-b1b3-e17dce1127ca

Azure Event Grid domains should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.1 > 1.0.2)

2021-02-17 14:28:42

BuiltIn

Security Center

36f4658a-848a-467b-881c-e6fa20cf75fc

Deploy Workflow Automation for Microsoft Defender for Cloud alerts

Fixed
deployIfNotExists

change

Major (2.0.0 > 3.0.0)

2021-02-17 14:28:42

BuiltIn

Event Grid

Deploy - Configure Azure Event Grid domains with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Monitoring

ea0dfaed-95fb-448c-934e-d6e713ce393d

Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Backup

c717fb0c-d118-4c43-ab3d-ece30ac81fb3

Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.

Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created.

Fixed
deployIfNotExists

change

Version remains equal, old suffix: preview (1.0.2-preview > 1.0.2)

2021-02-17 14:28:42

BuiltIn

Key Vault

c39ba22d-4428-4149-b981-70acb31fc383

Azure Key Vault Managed HSM should have purge protection enabled

Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Security Center

d389df0a-e0d7-4607-833c-75a6fdac2c2d

Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance

Fixed
deployIfNotExists

change

Major (2.0.0 > 3.0.0)

2021-02-17 14:28:42

BuiltIn

Event Grid

Deploy - Configure Azure Event Grid domains to use private DNS zones

Use private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone.

Default
DeployIfNotExists
Allowed
deployIfNotExists, DeployIfNotExists, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

App Service

d550e854-df1a-4de9-bf44-cd894b39a95e

App Service apps should have resource logs enabled

Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Monitoring

Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

App Service

0da106f2-4ca3-48e8-bc85-c638fe6aea8f

Function apps should use managed identity

Use a managed identity for enhanced authentication security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-02-17 14:28:42

BuiltIn

App Service

c4d441f8-f9d9-4a9e-9cef-e82117cb3eef

[Deprecated]: Managed identity should be used in your API App

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-02-17 14:28:42

BuiltIn

Security Center

a2a5b911-5617-447e-a49e-59dbe0e0434b

Deploy Workflow Automation for Microsoft Defender for Cloud recommendations

Fixed
deployIfNotExists

change

Major (2.0.0 > 3.0.0)

2021-02-17 14:28:42

BuiltIn

Key Vault

Resource logs in Azure Key Vault Managed HSM should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Event Grid

4b90e17e-8448-49db-875e-bd83fb6f804f

Azure Event Grid topics should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.1 > 1.0.2)

2021-02-17 14:28:42

BuiltIn

Event Grid

6fcec95c-fbdf-45e8-91e1-e3175d9c9eca

Deploy - Configure Azure Event Grid topics with private endpoints

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Event Grid

36ea4b4b-0f7f-4a54-89fa-ab18f555a172

Modify - Configure Azure Event Grid topics to disable public network access

Disable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints.

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Kubernetes

2b9ad585-36bc-4615-b300-fd4435808332

Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities

To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

App Service

App Service apps should use managed identity

Use a managed identity for enhanced authentication security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-02-17 14:28:42

BuiltIn

Event Grid

898e9824-104c-4965-8e0e-5197588fa5d4

Modify - Configure Azure Event Grid domains to disable public network access

Default
Modify
Allowed
Modify, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

Event Grid

1adadefe-5f21-44f7-b931-a59b54ccdb45

Azure Event Grid topics should disable public network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-17 14:28:42

BuiltIn

SQL

SQL servers with auditing to storage account destination should be configured with 90 days retention or higher

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-02-10 14:43:58

BuiltIn

Machine Learning

051cba44-2429-45b9-9649-46cec11c7119

Azure Machine Learning workspaces should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.2 > 1.0.3)

2021-02-10 14:43:58

BuiltIn

API for FHIR

Azure API for FHIR should use a customer-managed key to encrypt data at rest

Default
Audit
Allowed
audit, Audit, disabled, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-02-10 14:43:58

BuiltIn

Data Lake

057ef27e-665e-4328-8ea3-04b3122bd9fb

Resource logs in Azure Data Lake Store should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.1)

2021-02-10 14:43:58

BuiltIn

SQL

7ea8a143-05e3-4553-abfe-f56bef8b0b70

Configure Azure SQL database servers diagnostic settings to Log Analytics workspace

Enables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-02-10 14:43:58

BuiltIn

HDInsight

64d314f6-6062-4780-a861-c23e8951bee5

Azure HDInsight clusters should use customer-managed keys to encrypt data at rest

Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-02-10 14:43:58

BuiltIn

SQL

83a214f7-d01a-484b-91a9-ed54470c9a6a

Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace

Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-02-10 14:43:58

BuiltIn

Event Hub

Resource logs in Event Hub should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.1)

2021-02-10 14:43:58

BuiltIn

Backup

c717fb0c-d118-4c43-ab3d-ece30ac81fb3

Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.

Fixed
deployIfNotExists

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2021-02-10 14:43:58

BuiltIn

Data Factory

85bb39b5-2f66-49f8-9306-77da3ac5130f

Azure Data Factory integration runtime should have a limit for number of cores

To manage your resources and costs, limit the number of cores for an integration runtime.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-10 14:43:58

BuiltIn

General

0a914e76-4921-4c19-b460-a2d36003525a

Audit resource location matches resource group location

Audit that the resource location matches its resource group location

Fixed
audit

change

Major (1.0.0 > 2.0.0)

2021-02-10 14:43:58

BuiltIn

b4330a05-a843-4bc8-bf9a-cacce50c67f4

Resource logs in Search services should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.1)

2021-02-10 14:43:58

BuiltIn

Cache

[Deprecated]: Azure Cache for Redis should reside within a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.2 > 1.0.3)

2021-02-10 14:43:58

BuiltIn

SQL

4ec52d6d-beb7-40c4-9a9e-fe753254690e

MySQL servers should use customer-managed keys to encrypt data at rest

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2021-02-10 14:43:58

BuiltIn

Data Factory

Azure data factories should be encrypted with a customer-managed key

Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-02-10 14:43:58

BuiltIn

Internet of Things

383856f8-de7f-44a2-81fc-e5135b5c2aa4

Resource logs in IoT Hub should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.1)

2021-02-10 14:43:58

BuiltIn

SQL

b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13

SQL Database should avoid using GRS backup redundancy

Default
Deny
Allowed
Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-02-10 14:43:58

BuiltIn

Data Lake

c95c74d9-38fe-4f0d-af86-0c7d626a315c

Resource logs in Data Lake Analytics should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.1)

2021-02-10 14:43:58

BuiltIn

Data Factory

Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported

Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-10 14:43:58

BuiltIn

Storage

f8d36e2f-389b-4ee4-898d-21aeb69a0f45

Storage accounts should use customer-managed key for encryption

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.1 > 1.0.2)

2021-02-10 14:43:58

BuiltIn

Service Bus

Resource logs in Service Bus should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.1)

2021-02-10 14:43:58

BuiltIn

Key Vault

127ef6d7-242f-43b3-9eef-947faf1725d0

Key vaults should have soft delete enabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2021-02-10 14:43:58

BuiltIn

Data Factory

Azure Data Factory linked services should use Key Vault for storing secrets

To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-10 14:43:58

BuiltIn

Storage

34c877ad-507e-4c82-993e-3452a6e0ad3c

Storage accounts should restrict network access

Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.1.0 > 1.1.1)

2021-02-10 14:43:58

BuiltIn

Logic Apps

34f95f76-5386-4de7-b824-0d8478470c9d

Resource logs in Logic Apps should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.1)

2021-02-10 14:43:58

BuiltIn

Container Registry

6809a3d0-d354-42fb-b955-783d207c62a8

Container registries should be encrypted with a customer-managed key

Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.1.1 > 1.1.2)

2021-02-10 14:43:58

BuiltIn

Data Factory

Azure Data Factory linked service resource type should be in allow list

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-10 14:43:58

BuiltIn

Compute

428256e6-1fac-4f48-a757-df34c2b3336d

[Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-02-10 14:43:58

BuiltIn

Batch

Resource logs in Batch accounts should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.1)

2021-02-10 14:43:58

BuiltIn

Batch

99e9ccd8-3db9-4592-b0d1-14b1715a4d8a

Azure Batch account should use customer-managed keys to encrypt data

Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-02-10 14:43:58

BuiltIn

Cosmos DB

Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (1.0.1 > 1.0.2)

2021-02-10 14:43:58

BuiltIn

Cognitive Services

f9be5368-9bf5-4b84-9e0a-7850da98bb46

Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.2 > 1.0.3)

2021-02-10 14:43:58

BuiltIn

Stream Analytics

Resource logs in Azure Stream Analytics should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.1)

2021-02-10 14:43:58

BuiltIn

Key Vault

cf820ca0-f99e-4f3e-84fb-66e913812d21

Resource logs in Key Vault should be enabled

Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.1)

2021-02-10 14:43:58

BuiltIn

SQL

a9934fd7-29f2-4e6d-ab3d-607ea38e9079

SQL Managed Instances should avoid using GRS backup redundancy

Default
Deny
Allowed
Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-02-10 14:43:58

BuiltIn

SQL

77d40665-3120-4348-b539-3192ec808307

PostgreSQL servers should use customer-managed keys to encrypt data at rest

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.2 > 1.0.3)

2021-02-10 14:43:58

BuiltIn

Data Factory

Azure Data Factory should use a Git repository for source control

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-10 14:43:58

BuiltIn

Kubernetes

41425d9f-d1a5-499a-9932-f8ed8453932c

Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-03 15:09:01

BuiltIn

Security Center

Deploy export to Event Hub for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

change

Major (2.0.0 > 3.0.0)

2021-02-03 15:09:01

BuiltIn

Security Center

Deploy Workflow Automation for Microsoft Defender for Cloud recommendations

Fixed
deployIfNotExists

change

Major (1.0.0 > 2.0.0)

2021-02-03 15:09:01

BuiltIn

SQL

ef619a2c-cc4d-4d03-b2ba-8c94a834d85b

Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace

Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-02-03 15:09:01

BuiltIn

API Management

API Management services should use a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-02-03 15:09:01

BuiltIn

Data Factory

1cf164be-6819-4a50-b8fa-4bcaa4f98fb6

Public network access on Azure Data Factory should be disabled

Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-03 15:09:01

BuiltIn

Security Center

ec068d99-e9c7-401f-8cef-5bdde4e6ccf1

Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance

Fixed
deployIfNotExists

add

new Policy

2021-02-03 15:09:01

BuiltIn

Azure Data Explorer

Double encryption should be enabled on Azure Data Explorer

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2021-02-03 15:09:01

BuiltIn

Automation

56a5ee18-2ae6-4810-86f7-18e39ce5629b

Azure Automation accounts should use customer-managed keys to encrypt data at rest

Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-02-03 15:09:01

BuiltIn

Kubernetes

f4b53539-8df9-40e4-86c6-6b607703bd4e

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (5.0.1 > 5.0.2)

2021-02-03 15:09:01

BuiltIn

Azure Data Explorer

Disk encryption should be enabled on Azure Data Explorer

Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Major (1.0.0 > 2.0.0)

2021-02-03 15:09:01

BuiltIn

Security Center

Deploy Workflow Automation for Microsoft Defender for Cloud alerts

Fixed
deployIfNotExists

change

Major (1.0.0 > 2.0.0)

2021-02-03 15:09:01

BuiltIn

Security Center

6164527b-e1ee-4882-8673-572f425f5e0a

Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

change

Major (2.0.0 > 3.0.0)

2021-02-03 15:09:01

BuiltIn

Bot Service

Bot Service endpoint should be a valid HTTPS URI

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-01-27 16:54:46

BuiltIn

Batch

74c5a0ae-5e48-4738-b093-65e23a060488

Public network access should be disabled for Batch accounts

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-01-27 16:54:46

BuiltIn

Service Bus

295fc8b1-dc9f-4f53-9c61-3f313ceab40a

Service Bus Premium namespaces should use a customer-managed key for encryption

Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-01-27 16:54:46

BuiltIn

Security Center

501541f7-f7e7-4cd6-868c-4190fdad3ac9

A vulnerability assessment solution should be enabled on your virtual machines

Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-27 16:54:46

BuiltIn

Kubernetes

0a15ec92-a229-4763-bb14-0ea34a568f8d

Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters

Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

Default
Audit
Allowed
Audit, Disabled

change

Patch, old suffix: preview (1.0.1-preview > 1.0.2)

2021-01-27 16:54:46

BuiltIn

Event Hub

a1ad735a-e96f-45d2-a7b2-9a4932cab7ec

Event Hub namespaces should use a customer-managed key for encryption

Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2021-01-27 16:54:46

BuiltIn

Attestation

7b256a2d-058b-41f8-bed9-3f870541c40a

Azure Attestation providers should use private endpoints

Private endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-01-27 16:54:46

BuiltIn

Key Vault

51522a96-0869-4791-82f3-981000c2c67f

[Deprecated]: Private endpoint should be configured for Key Vault

The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor, suffix remains equal (1.0.2-preview > 1.1.0-preview)

2021-01-27 16:54:46

BuiltIn

Bot Service

Bot Service should be encrypted with a customer-managed key

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-01-27 16:54:46

BuiltIn

Guest Configuration

Windows machines should be configured to use secure communication protocols

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-01-27 16:54:46

BuiltIn

Guest Configuration

Linux machines should meet requirements for the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)

2021-01-22 09:14:53

BuiltIn

Guest Configuration

Authentication to Linux machines should require SSH keys

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2021-01-22 09:14:53

BuiltIn

Compute

1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6

Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-01-22 09:14:53

BuiltIn

HDInsight

Azure HDInsight clusters should use encryption at host to encrypt data at rest

Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-01-22 09:14:53

BuiltIn

Security Center

b4d66858-c922-44e3-9566-5cdb7a7be744

[Deprecated]: A security contact phone number should be provided for your subscription

Enter a phone number to receive notifications when Azure Security Center detects compromised resources - This policy is deprecated because phone numbers are no longer used in any scenario by Azure Security Center

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2021-01-22 09:14:53

BuiltIn

Monitoring

Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-01-22 09:14:53

BuiltIn

Security Center

[Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-01-22 09:14:53

BuiltIn

Security Center

d26f7642-7545-4e18-9b75-8c9bbdee3a9a

[Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent

Default
Disabled
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-01-22 09:14:53

BuiltIn

Security Center

Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity

The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-01-22 09:14:53

BuiltIn

Security Center

Guest Configuration extension should be installed on your machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-01-22 09:14:53

BuiltIn

Monitoring

0049a6b3-a662-4f3e-8635-39cf44ace45a

[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs

Default
Modify
Allowed
Modify, Disabled

count: 003
•Managed Identity Contributor
•Managed Identity Operator
•Virtual Machine Contributor

add

new Policy

2021-01-22 09:14:53

BuiltIn

Synapse

Vulnerability assessment should be enabled on your Synapse workspaces

Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-01-22 09:14:53

BuiltIn

Guest Configuration

d9da03a1-f3c3-412a-9709-947156872263

Windows Defender Exploit Guard should be enabled on your machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.1.0 > 1.1.1)

2021-01-22 09:14:53

BuiltIn

HDInsight

Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes

Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-01-22 09:14:53

BuiltIn

Security Center

760a85ff-6162-42b3-8d70-698e268f648c

[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution

Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)

2021-01-22 09:14:53

BuiltIn

HDInsight

64d314f6-6062-4780-a861-c23e8951bee5

Azure HDInsight clusters should use customer-managed keys to encrypt data at rest

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-01-22 09:14:53

BuiltIn

Guest Configuration

Windows machines should meet requirements of the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-01-22 09:14:53

BuiltIn

Monitoring

Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2021-01-22 09:14:53

BuiltIn

SQL

Public network access on Azure SQL Database should be disabled

Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.1 > 1.1.0)

2021-01-13 16:08:35

BuiltIn

Kubernetes

4ec52d6d-beb7-40c4-9a9e-fe753254690e

Kubernetes cluster services should only use allowed external IPs

Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-01-13 16:08:35

BuiltIn

Data Factory

Azure data factories should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-01-13 16:08:35

BuiltIn

SQL

Private endpoint connections on Azure SQL Database should be enabled

Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.

Default
Audit
Allowed
Audit, Disabled

change

Minor (1.0.1 > 1.1.0)

2021-01-13 16:08:35

BuiltIn

Cosmos DB

Azure Cosmos DB accounts should have firewall rules

Default
Deny
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2021-01-05 16:06:49

BuiltIn

Security Center

cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349

[Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys)

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

[Deprecated]: Sensitive data in your SQL databases should be classified

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)

2021-01-05 16:06:49

BuiltIn

Security Center

9daedab3-fb2d-461e-b861-71790eead4f6

[Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

All network ports should be restricted on network security groups associated to your virtual machine

Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.1 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

e8cbc669-f12d-49eb-93e7-9273119e9933

[Deprecated]: Vulnerabilities in container security configurations should be remediated

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

bd352bd5-2853-4985-bf0d-73806b4a5744

IP Forwarding on your virtual machine should be disabled

Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4

[Deprecated]: Allowlist rules in your adaptive application control policy should be updated

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

[Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

c3f317a7-a95c-4547-b7e7-11017ebdf2fe

[Deprecated]: System updates on virtual machine scale sets should be installed

Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

b0f33259-77d7-4c9e-aac6-3aabcfae693c

[Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines

Azure Security Center recommends NSG rules for Internet-facing VMs. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.1 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

Management ports of virtual machines should be protected with just-in-time network access control

Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

26a828e1-e88f-464e-bbb3-c134a282b9de

[Deprecated]: Endpoint protection solution should be installed on virtual machine scale sets

Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

4f11b553-d42e-4e3a-89be-32ca364cad4c

A maximum of 3 owners should be designated for your subscription

It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

09024ccc-0c5f-475e-9457-b7c0d9ed487b

There should be more than one owner assigned to your subscription

It is recommended to designate more than one subscription owner in order to have administrator access redundancy.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Batch

99e9ccd8-3db9-4592-b0d1-14b1715a4d8a

Azure Batch account should use customer-managed keys to encrypt data

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2021-01-05 16:06:49

BuiltIn

Security Center

6b1cbf55-e8b6-442f-ba4c-7246b6381474

[Deprecated]: Deprecated accounts should be removed from your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 8d7e1fde-fe26-4b5f-8108-f8e432cbc2be. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Azure Stack Edge

b4ac1030-89c5-4697-8e00-28b5ba6a8811

Azure Stack Edge devices should use double-encryption

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-01-05 16:06:49

BuiltIn

Security Center

af6cd1bd-1635-48cb-bde7-5b15693900b9

[Deprecated]: Monitor missing Endpoint Protection in Azure Security Center

Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

SQL

36d49e87-48c4-4f2e-beed-ba4ed02b71f5

Configure Azure Defender to be enabled on SQL servers

Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Fixed
DeployIfNotExists

change

Major (1.1.0 > 2.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

86b3d65f-7626-441e-b690-81a8b71cff60

[Deprecated]: System updates should be installed on your machines

Missing security system updates on your servers will be monitored by Azure Security Center as recommendations

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

760a85ff-6162-42b3-8d70-698e268f648c

[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution

Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

22730e10-96f6-4aac-ad84-9383d35b5917

Management ports should be closed on your virtual machines

Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

f8456c1c-aa66-4dfb-861a-25d127b775c9

[Deprecated]: External accounts with owner permissions should be removed from your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 339353f6-2387-4a45-abe4-7f529d121046. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

bb91dfba-c30d-4263-9add-9c2384e659a6

Non-internet-facing virtual machines should be protected with network security groups

Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Monitoring

6fc8115b-2008-441f-8c61-9b722c1e537f

Workbooks should be saved to storage accounts that you control

Default
Audit
Allowed
deny, Deny, audit, Audit, disabled, Disabled

add

new Policy

2021-01-05 16:06:49

BuiltIn

Security Center

a7aca53f-2ed4-4466-a25e-0b45ade68efd

Azure DDoS Protection should be enabled

DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

e3576e28-8b17-4677-84c3-db2990658d64

[Deprecated]: MFA should be enabled on accounts with read permissions on your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

6ba6d016-e7c3-4842-b8f2-4992ebc0d72d

SQL servers on machines should have vulnerability findings resolved

SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2021-01-05 16:06:49

BuiltIn

Security Center

ebb62a0c-3560-49e1-89ed-27e074e9f8ad

[Deprecated]: Vulnerabilities in security configuration on your machines should be remediated

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

[Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 0cfea604-3201-4e14-88fc-fae4c427a6c5. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

feedbf84-6b99-488c-acc2-71c829aa5ffc

SQL databases should have vulnerability findings resolved

Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (3.0.0 > 4.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

aa633080-8b72-40c4-a2d7-d00c03e80bed

[Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e3e008c3-56b9-4133-8fd7-d3347377402a. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

5c607a2e-c700-4744-8254-d77e7c9eb5e4

[Deprecated]: External accounts with write permissions should be removed from your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 94e1c2ac-cbbe-4cac-a2b5-389c812dee87. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

5f76cf89-fbf2-47fd-a3f4-b891fa780b60

[Deprecated]: External accounts with read permissions should be removed from your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID e9ac8f8e-ce22-4355-8f04-99b911d6be52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

9297c21d-2ed6-4474-b48f-163f75654ce3

[Deprecated]: MFA should be enabled for accounts with write permissions on your subscription

This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID 931e118d-50a1-4457-a5e4-78550e086c52. Learn more about policy definition deprecation at aka.ms/policydefdeprecation

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Security Center

f6de0be7-9a8a-4b8a-b349-43cf02d22f7c

Internet-facing virtual machines should be protected with network security groups

Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2021-01-05 16:06:49

BuiltIn

Bot Service

6164527b-e1ee-4882-8673-572f425f5e0a

Bot Service endpoint should be a valid HTTPS URI

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2021-01-05 16:06:49

BuiltIn

SQL

0d134df8-db83-46fb-ad72-fe0c9428c8dd

[Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest

This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8 instead.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster

This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, suffix remains equal (3.0.1-deprecated > 4.0.1-deprecated)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.1)

2020-12-11 15:42:52

BuiltIn

SQL

SQL servers with auditing to storage account destination should be configured with 90 days retention or higher

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes clusters should disable automounting API credentials

Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-12-11 15:42:52

BuiltIn

Container Registry

Container registries should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.1.0 > 1.1.1)

2020-12-11 15:42:52

BuiltIn

Key Vault

Certificates should have the specified maximum validity period

Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Cognitive Services

Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2020-12-11 15:42:52

BuiltIn

Kubernetes

4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.1)

2020-12-11 15:42:52

BuiltIn

Security Center

Subscriptions should have a contact email address for security issues

To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Key Vault

98728c90-32c7-4049-8429-847dc0f4fe37

Key Vault secrets should have an expiration date

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Key Vault

4b90e17e-8448-49db-875e-bd83fb6f804f

Key vaults should have soft delete enabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Event Grid

Azure Event Grid topics should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.1)

2020-12-11 15:42:52

BuiltIn

Security Center

Guest Configuration extension should be installed on your machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-12-11 15:42:52

BuiltIn

Key Vault

Key vaults should have deletion protection enabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.1.0 > 1.1.1)

2020-12-11 15:42:52

BuiltIn

Security Center

Deploy export to Event Hub for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

change

Major (1.0.0 > 2.0.0)

2020-12-11 15:42:52

BuiltIn

Kubernetes

86efb160-8de7-451d-bc08-5d475b0aadae

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Data Box

Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password

Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-12-11 15:42:52

BuiltIn

SQL

Public network access should be disabled for PostgreSQL servers

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

e8eef0a8-67cf-4eb4-9386-14b0e78733d4

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.1)

2020-12-11 15:42:52

BuiltIn

Container Registry

Container registries should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Machine Learning

[Deprecated]: Azure Machine Learning workspaces should use private link

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

SQL

2154edb9-244f-4741-9970-660785bccdaa

Private endpoint connections on Azure SQL Database should be enabled

Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

VM Image Builder

VM Image Builder templates should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Storage

6e2593d9-add6-4083-9c9b-4b7d2188c899

Storage accounts should use customer-managed key for encryption

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Security Center

Email notification for high severity alerts should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes clusters should not use specific security capabilities

Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-12-11 15:42:52

BuiltIn

Cosmos DB

Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Cache

7d7be79c-23ba-4033-84dd-45e2a5ccdd67

[Deprecated]: Azure Cache for Redis should reside within a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-12-11 15:42:52

BuiltIn

Network

564feb30-bf6a-4854-b4bb-0d2d2d1e6c66

Web Application Firewall (WAF) should be enabled for Application Gateway

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

2a1a9cdf-e04d-429a-8416-3bfb72a1b26f

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Storage

Storage accounts should restrict network access using virtual network rules

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Security Center

475aae12-b88a-4572-8b36-9b712b2b3a17

[Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Machine Learning

c349d81b-9985-44ae-a8da-ff98d108ede8

Azure Machine Learning workspaces should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2020-12-11 15:42:52

BuiltIn

Data Box

Azure Data Box jobs should enable double encryption for data at rest on the device

Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes clusters should not use the default namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-12-11 15:42:52

BuiltIn

Security Center

Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

change

Major (1.0.0 > 2.0.0)

2020-12-11 15:42:52

BuiltIn

Key Vault

Azure Key Vault should have firewall enabled or public network access disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

d38fc420-0735-4ef3-ac11-c806f651a570

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

SQL

Long-term geo-redundant backup should be enabled for Azure SQL Databases

This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-12-11 15:42:52

BuiltIn

Key Vault

152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0

Key Vault keys should have an expiration date

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)

2020-12-11 15:42:52

BuiltIn

Event Grid

9830b652-8523-49cc-b1b3-e17dce1127ca

Azure Event Grid domains should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Key Vault

[Deprecated]: Private endpoint should be configured for Key Vault

The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)

2020-12-11 15:42:52

BuiltIn

Kubernetes

[Deprecated]: Kubernetes cluster containers should only listen on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.1)

2020-12-11 15:42:52

BuiltIn

SQL

Public network access on Azure SQL Database should be disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

App Service

d9844e8a-1437-4aeb-a32c-0c992f056095

[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

SQL

Public network access should be disabled for MySQL servers

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2020-12-11 15:42:52

BuiltIn

Kubernetes

055aa869-bc98-4af8-bafc-23f1ab6ffe2c

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.1)

2020-12-11 15:42:52

BuiltIn

Network

Azure Web Application Firewall should be enabled for Azure Front Door entry-points

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

SignalR

048248b0-55cd-46da-b1ff-39efd52db260

[Deprecated]: Azure SignalR Service should use private link

The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

SQL

[Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest

This policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 instead

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2020-12-11 15:42:52

BuiltIn

SQL

fdccbe47-f3e3-4213-ad5d-ea459b2fa077

PostgreSQL servers should use customer-managed keys to encrypt data at rest

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2020-12-11 15:42:52

BuiltIn

SQL

Public network access should be disabled for MariaDB servers

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.1 > 1.0.2)

2020-12-11 15:42:52

BuiltIn

App Configuration

ca610c1d-041c-4332-9d88-7ed3094967c7

App Configuration should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (2.0.1 > 3.0.1)

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (4.0.1 > 5.0.1)

2020-12-11 15:42:52

BuiltIn

SQL

MySQL servers should use customer-managed keys to encrypt data at rest

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.1 > 1.0.2)

2020-12-11 15:42:52

BuiltIn

Guest Configuration

[Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

2020-12-11 15:42:52

BuiltIn

Kubernetes

5fc23db3-dd4d-4c56-bcc7-43626243e601

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Guest Configuration

[Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled

This policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)

2020-12-11 15:42:52

BuiltIn

Security Center

0b15565f-aa9e-48ba-8619-45960f2c314d

Email notification to subscription owner for high severity alerts should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Storage

d26f7642-7545-4e18-9b75-8c9bbdee3a9a

Storage account public access should be disallowed

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)

2020-12-11 15:42:52

BuiltIn

Security Center

Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-12-11 15:42:52

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major (1.0.1 > 2.0.1)

2020-12-11 15:42:52

BuiltIn

Container Registry

61a4d60b-7326-440e-8051-9f94394d4dd1

Container registries should not allow unrestricted network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-12-11 15:42:52

BuiltIn

Tags

Add or replace a tag on subscriptions

Adds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation.

Fixed
modify

add

new Policy

2020-11-17 14:39:37

BuiltIn

Synapse

72d11df1-dd8a-41f7-8925-b05b960ebafc

Azure Synapse workspaces should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-11-17 14:39:37

BuiltIn

Synapse

2d9dbfa3-927b-4cf0-9d0f-08747f971650

Managed workspace virtual network on Azure Synapse workspaces should be enabled

Enabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-11-17 14:39:37

BuiltIn

Synapse

f7d52b2d-e161-4dfa-a82b-55e564167385

Azure Synapse workspaces should use customer-managed keys to encrypt data at rest

Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-11-17 14:39:37

BuiltIn

Tags

96d9a89c-0d67-41fc-899d-2b9599f76a24

Add a tag to subscriptions

Adds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation.

Fixed
modify

add

new Policy

2020-11-17 14:39:37

BuiltIn

Security Center

56fd377d-098c-4f02-8406-81eb055902b8

[Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines

Azure Security Center recommends NSG rules for Internet-facing VMs. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

Patch (2.0.0 > 2.0.1)

2020-11-17 14:39:37

BuiltIn

Synapse

IP firewall rules on Azure Synapse workspaces should be removed

Removing all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-11-17 14:39:37

BuiltIn

Azure Data Explorer

81e74cea-30fd-40d5-802f-d72103c2aaaa

Azure Data Explorer encryption at rest should use a customer-managed key

Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-11-10 16:00:42

BuiltIn

Portal

04c655fe-0ac7-48ae-9a32-3a2e208c7624

Shared dashboards should not have markdown tiles with inline content

Disallow creating a shared dashboard that has inline content in markdown tiles and enforce that the content should be stored as a markdown file that's hosted online. If you use inline content in the markdown tile, you cannot manage encryption of the content. By configuring your own storage, you can encrypt, double encrypt and even bring your own keys. Enabling this policy restricts users to use 2020-09-01-preview or above version of shared dashboards REST API.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-11-10 16:00:42

BuiltIn

App Configuration

967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1

App Configuration should use a customer-managed key

Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements.

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.1 > 1.1.0)

2020-11-10 16:00:42

BuiltIn

Monitoring

ec068d99-e9c7-401f-8cef-5bdde4e6ccf1

[Deprecated]: Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

Major (1.2.0 > 2.0.0)

2020-11-10 16:00:42

BuiltIn

Azure Data Explorer

Double encryption should be enabled on Azure Data Explorer

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-11-10 16:00:42

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

Minor (1.0.0 > 1.1.0)

2020-11-10 16:00:42

BuiltIn

Storage

9ad2fd1f-b25f-47a2-aa01-1a5a779e6413

Storage account public access should be disallowed

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

Major, suffix remains equal (1.0.1-preview > 2.0.0-preview)

2020-11-10 16:00:42

BuiltIn

Azure Data Explorer

Virtual network injection should be enabled for Azure Data Explorer

Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-11-10 16:00:42

BuiltIn

Security Center

80e94a21-c6cd-4c95-a2c7-beb5704e61c0

Deploy - Configure suppression rules for Azure Security Center alerts

Suppress Azure Security Center alerts to reduce alerts fatigue by deploying suppression rules on your management group or subscription.

Fixed
deployIfNotExists

add

new Policy

2020-11-10 16:00:42

BuiltIn

Stream Analytics

87ba29ef-1ab3-4d82-b763-87fcd4f531f7

Azure Stream Analytics jobs should use customer-managed keys to encrypt data

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-11-10 16:00:42

BuiltIn

Synapse

3a003702-13d2-4679-941b-937e58c443f0

Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants

Protect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2020-11-10 16:00:42

BuiltIn

Azure Data Explorer

f4b53539-8df9-40e4-86c6-6b607703bd4e

Disk encryption should be enabled on Azure Data Explorer

Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-11-10 16:00:42

BuiltIn

Backup

Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

add

new Policy

2020-11-10 16:00:42

BuiltIn

Monitoring

Deploy Log Analytics extension for Linux VMs. See deprecation notice below

Fixed
deployIfNotExists

change

Major (1.2.0 > 2.0.0)

2020-11-10 16:00:42

BuiltIn

Backup

1ee56206-5dd1-42ab-b02d-8aae8b1634ce

Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy

Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

add

new Policy

2020-11-10 16:00:42

BuiltIn

API for FHIR

Azure API for FHIR should use private link

Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-11-10 16:00:42

BuiltIn

Security Center

feedbf84-6b99-488c-acc2-71c829aa5ffc

SQL databases should have vulnerability findings resolved

Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2020-11-10 16:00:42

BuiltIn

Backup

Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

add

new Policy

2020-11-10 16:00:42

BuiltIn

Machine Learning

a8793640-60f7-487c-b5c3-1d37215905c4

Azure Machine Learning workspaces should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-10-27 14:12:45

BuiltIn

SQL

SQL Managed Instance should have the minimal TLS version of 1.2

Default
Audit
Allowed
Audit, Disabled

change

Patch (1.0.0 > 1.0.1)

2020-10-27 14:12:45

BuiltIn

API for FHIR

051cba44-2429-45b9-9649-46cec11c7119

Azure API for FHIR should use a customer-managed key to encrypt data at rest

Default
Audit
Allowed
audit, Audit, disabled, Disabled

add

new Policy

2020-10-27 14:12:45

BuiltIn

Container Registry

c5447c04-a4d7-4ba8-a263-c9ee321a6858

Container registries should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2020-10-27 14:12:45

BuiltIn

Monitoring

An activity log alert should exist for specific Policy operations

This policy audits specific Policy operations with no activity log alerts configured.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2020-10-27 14:12:45

BuiltIn

Guest Configuration

32e6bbec-16b6-44c2-be37-c5b672d103cf

Audit Linux machines that have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2020-10-27 14:12:45

BuiltIn

SQL

Azure SQL Database should be running TLS version 1.2 or newer

Default
Audit
Allowed
Audit, Disabled, Deny

change

Patch (1.0.0 > 1.0.1)

2020-10-27 14:12:45

BuiltIn

Guest Configuration

057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9

Audit Linux machines that don't have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (2.0.0 > 3.0.0)

2020-10-27 14:12:45

BuiltIn

SQL

[Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-10-27 14:12:45

BuiltIn

SQL

36d49e87-48c4-4f2e-beed-ba4ed02b71f5

Configure Azure Defender to be enabled on SQL servers

Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Fixed
DeployIfNotExists

change

Minor (1.0.0 > 1.1.0)

2020-10-27 14:12:45

BuiltIn

Key Vault

Key vaults should have deletion protection enabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

Minor (1.0.0 > 1.1.0)

2020-10-23 13:31:09

BuiltIn

Key Vault

Key vaults should have soft delete enabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-23 13:31:09

BuiltIn

App Service

App Service apps that use Java should use a specified 'Java version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

App Service

[Deprecated]: API apps that use Python should use the latest 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

App Service

App Service apps should use latest 'HTTP Version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.1.0 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

App Service

Function apps should use latest 'HTTP Version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

App Service

[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

App Service

App Service apps that use Python should use a specified 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

Kubernetes

88999f4c-376a-45c8-bcb3-4058f713cf39

Deploy Azure Policy Add-on to Azure Kubernetes Service clusters

Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

count: 002
•Azure Kubernetes Service Contributor Role
•Azure Kubernetes Service Policy Add-on Deployment

add

new Policy

2020-10-20 13:29:33

BuiltIn

App Service

[Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

SQL

Public network access should be disabled for PostgreSQL flexible servers

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-20 13:29:33

BuiltIn

SQL

Public network access should be disabled for MySQL flexible servers

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-20 13:29:33

BuiltIn

App Service

Function apps that use Java should use a specified 'Java version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.1 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

App Service

App Service apps that use PHP should use a specified 'PHP version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

App Service

991310cd-e9f3-47bc-b7b6-f57b557d07db

Function apps that use Python should use a specified 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

App Service

[Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

Major (1.0.0 > 2.0.0)

2020-10-20 13:29:33

BuiltIn

SQL

24fba194-95d6-48c0-aea7-f65bf859c598

Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers

Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-20 13:29:33

BuiltIn

SQL

3a58212a-c829-4f13-9872-6371df2fd0b4

Infrastructure encryption should be enabled for Azure Database for MySQL servers

Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-20 13:29:33

BuiltIn

Key Vault

75c4f823-d65c-4f29-a733-01d0077fdbcb

Keys should be the specified cryptographic type RSA or EC

Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

49a22571-d204-4c91-a7b6-09b1a586fbc9

Keys should have the specified maximum validity period

Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

ff25f3c8-b739-4538-9d07-3d6d25cfb255

Keys using elliptic curve cryptography should have the specified curve names

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

82067dbb-e53b-4e06-b631-546d197452d9

Keys using RSA cryptography should have a specified minimum key size

Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

5ff38825-c5d8-47c5-b70e-069a21955146

Keys should have more than the specified number of days before expiration

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

c26e4b24-cf98-4c67-b48b-5a25c4c69eb9

Keys should not be active for longer than the specified number of days

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

e8d99835-8a06-45ae-a8e0-87a91941ccfe

Secrets should not be active for longer than the specified number of days

If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

75262d3e-ba4a-4f43-85f8-9f72c090e5e3

Secrets should have content type set

A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0

Key Vault keys should have an expiration date

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

587c79fe-dd04-4a5e-9d0b-f89598c7261b

Keys should be backed by a hardware security module (HSM)

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

b0eb591a-5e70-4534-a8bf-04b9c489584a

Secrets should have more than the specified number of days before expiration

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

342e8053-e12e-4c44-be01-c3c2f318400f

Secrets should have the specified maximum validity period

Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

Key Vault

98728c90-32c7-4049-8429-847dc0f4fe37

Key Vault secrets should have an expiration date

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-16 12:27:50

BuiltIn

6fdb9205-3462-4cfc-87d8-16c7860b53f4

n/a

remove

6fdb9205-3462-4cfc-87d8-16c7860b53f4

2020-10-15 14:28:11 (i)

BuiltIn

e01598e8-6538-41ed-95e8-8b29746cd697

n/a

remove

e01598e8-6538-41ed-95e8-8b29746cd697

2020-10-15 14:28:11 (i)

BuiltIn

Lighthouse

7a8a51a3-ad87-4def-96f3-65a1839242b6

Allow managing tenant ids to onboard through Azure Lighthouse

Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources.

Fixed
deny

change

Patch (1.0.0 > 1.0.1)

2020-10-13 13:23:36

BuiltIn

Storage

4733ea7b-a883-42fe-8cac-97454c2a9e4a

Storage accounts should have infrastructure encryption

Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-10-07 16:00:33

BuiltIn

Lighthouse

7a8a51a3-ad87-4def-96f3-65a1839242b6

Allow managing tenant ids to onboard through Azure Lighthouse

Restricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources.

Fixed
deny

add

new Policy

2020-09-30 14:32:32

BuiltIn

Guest Configuration

93507a81-10a4-4af0-9ee2-34cf25a96e98

[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members

This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-16 13:09:49

BuiltIn

Guest Configuration

5bb36dda-8a78-4df9-affd-4f05a8612a8a

[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one

This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-16 13:09:49

BuiltIn

Guest Configuration

b821191b-3a12-44bc-9c38-212138a29ff3

[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members

This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-16 13:09:49

BuiltIn

Guest Configuration

f3b44e5d-1456-475f-9c67-c66c4618e85a

[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-16 13:09:49

BuiltIn

Guest Configuration

0a15ec92-a229-4763-bb14-0ea34a568f8d

Authentication to Linux machines should require SSH keys

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-16 13:09:49

BuiltIn

Kubernetes

Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters

Default
Audit
Allowed
Audit, Disabled

change

new Policy

2020-09-16 13:09:49

BuiltIn

Guest Configuration

144f1397-32f9-4598-8c88-118decc3ccba

[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members

This policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-16 13:09:49

BuiltIn

Guest Configuration

02a84be7-c304-421f-9bb7-5d2c26af54ad

Windows Defender Exploit Guard should be enabled on your machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-16 13:09:49

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-16 13:09:49

BuiltIn

Guest Configuration

bde62c94-ccca-4821-a815-92c1d31a76de

[Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-16 13:09:49

BuiltIn

Guest Configuration

cc7cda28-f867-4311-8497-a526129a8d19

[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-16 13:09:49

BuiltIn

Guest Configuration

43bb60fe-1d7e-4b82-9e93-496bfc99e7d5

Windows machines should meet requirements for 'System Audit Policies - Account Logon'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

8537fe96-8cbe-43de-b0ef-131bc72bc22a

Windows machines should meet requirements for 'Windows Components'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs

Fixed
deployIfNotExists

change

new Policy

2020-09-15 14:06:41

BuiltIn

Automanage

[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

35781875-8026-4628-b19b-f6efb4d88a1d

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

Fixed
modify

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'System Audit Policies - Object Access'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

e0a7e899-2ce2-4253-8a13-d808fdeb75af

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

8794ff4f-1a35-4e18-938f-0b22055067cd

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities

Fixed
modify

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Options - Devices'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

8316fa92-d69c-4810-8124-62414f560dcf

Windows machines should meet requirements for 'System Audit Policies - System'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

19be9779-c776-4dfa-8a15-a2fd5dc843d6

Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

12017595-5a75-4bb1-9d97-4c2c939ea3c3

Windows machines should meet requirements for 'Security Options - System settings'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

58383b73-94a9-4414-b382-4146eb02611b

Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

Fixed
deployIfNotExists

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Configure time zone on Windows machines.

This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines.

Fixed
deployIfNotExists

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

caf2d518-f029-4f6b-833b-d7081702f253

Authentication to Linux machines should require SSH keys

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Options - Microsoft Network Server'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

1221c620-d201-468c-81e7-2817e6107e84

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Options - Network Security'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Options - Network Access'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

ee984370-154a-4ee8-9726-19d900e56fc0

Windows machines should meet requirements for 'Security Options - Accounts'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

2f262ace-812a-4fd0-b731-b38ba9e9708d

Windows machines should meet requirements for 'Security Options - System objects'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

968410dc-5ca0-4518-8a5b-7b55f0530ea9

Windows machines should meet requirements for 'Administrative Templates - System'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

d472d2c9-d6a3-4500-9f5f-b15f123005aa

Windows machines should meet requirements for 'Security Options - Interactive Logon'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

94d9aca8-3757-46df-aa51-f218c5f11954

Windows Defender Exploit Guard should be enabled on your machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'System Audit Policies - Account Management'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

f71be03e-e25b-4d0f-b8bc-9b3e309b66c0

Windows machines should meet requirements for 'Security Options - Recovery console'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

d6c69680-54f0-4349-af10-94dd05f4225e

Windows machines should meet requirements for 'Security Options - Microsoft Network Client'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

87845465-c458-45f3-af66-dcd62176f397

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'System Audit Policies - Privilege Use'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

2a7a701e-dff3-4da9-9ec5-42cb98594c0b

Windows machines should meet requirements for 'System Audit Policies - Policy Change'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

67e010c1-640d-438e-a3a5-feaccb533a98

Windows machines should meet requirements for 'Administrative Templates - Network'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

b4a4d1eb-0263-441b-84cb-a44073d8372d

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Options - Shutdown'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

492a29ed-d143-4f03-b6a4-705ce081b463

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Options - User Account Control'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

e068b215-0026-4354-b347-8fb2766f73a2

Windows machines should meet requirements for 'User Rights Assignment'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

35d9882c-993d-44e6-87d2-db66ce21b636

[Deprecated]: Kubernetes cluster containers should only listen on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Windows Firewall Properties'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

f2143251-70de-4e81-87a8-36cee5a2f29d

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Security Settings - Account Policies'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Kubernetes

3aa2661b-02d7-4ba6-99bc-dc36b10489fd

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

Windows machines should meet requirements for 'Administrative Templates - Control Panel'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

33936777-f2ac-45aa-82ec-07958ec9ade4

Windows machines should meet requirements for 'Security Options - Audit'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-15 14:06:41

BuiltIn

Guest Configuration

4d1c04de-2172-403f-901b-90608c35c721

Audit Linux machines that have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

f3b44e5d-1456-475f-9c67-c66c4618e85a

[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified members

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

1417908b-4bff-46ee-a2a6-4acc899320ab

Audit Windows machines that contain certificates expiring within the specified number of days

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

a2d0e922-65d0-40c4-8f87-ea6da2d307a2

Audit Windows machines that do not restrict the minimum password length to specified number of characters

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

fee5cb2b-9d9b-410e-afe3-2902d90d0004

[Deprecated]: Show audit results from Linux VMs that do not have the specified applications installed

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

9f658460-46b7-43af-8565-94fc0662be38

[Deprecated]: Show audit results from Windows VMs that are not set to the specified time zone

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

bde62c94-ccca-4821-a815-92c1d31a76de

[Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified members

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

4ceb8dc2-559c-478b-a15b-733fbf1e3738

Audit Windows machines that do not have the maximum password age set to specified number of days

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

5aebc8d1-020d-4037-89a0-02043a7524ec

[Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

60ffe3e2-4604-4460-8f22-0f1da058266c

[Deprecated]: Show audit results from Windows web servers that are not using secure communication protocols

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

da0f98fe-a24b-4ad5-af69-bd0400233661

Audit Windows machines that do not store passwords using reversible encryption

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

630ac30f-a234-4533-ac2d-e0df77acda51

Audit Windows machines network connectivity

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

32b1e4d4-6cd5-47b4-a935-169da8a5c262

[Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'

This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

a29ee95c-0395-4515-9851-cc04ffe82a91

[Deprecated]: Show audit results from Windows VMs that are not joined to the specified domain

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

5b054a0d-39e2-4d53-bea3-9734cad2c69b

Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Managed Application

9db7917b-1607-4e7d-a689-bca978dd0633

Application definition for Managed Application should use customer provided storage account

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

93507a81-10a4-4af0-9ee2-34cf25a96e98

[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

8ff0b18b-262e-4512-857a-48ad0aeb9a78

Audit Linux machines that don't have the specified applications installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption

This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

12f7e5d0-42a7-4630-80d8-54fb7cff9bd6

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed

This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

23020aa6-1135-4be2-bae2-149982b06eca

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters

This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

c96f3246-4382-4264-bf6b-af0b35e23c3c

[Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot

This policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

8b0de57a-f511-4d45-a277-17cb79cb163b

[Deprecated]: Show audit results from Windows VMs with a pending reboot

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

f0633351-c7b2-41ff-9981-508fc08553c2

[Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed

This policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13

[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

SQL

SQL Database should avoid using GRS backup redundancy

Default
Deny
Allowed
Deny, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

cc7cda28-f867-4311-8497-a526129a8d19

[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified members

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

c633f6a2-7f8b-4d9e-9456-02f0f04f5505

Audit Windows machines that are not set to the specified time zone

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

b2fc8f91-866d-4434-9089-5ebfe38d6fd8

[Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols

This policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

SQL

a9934fd7-29f2-4e6d-ab3d-607ea38e9079

SQL Managed Instances should avoid using GRS backup redundancy

Default
Deny
Allowed
Deny, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

f3b9ad83-000d-4dc1-bff0-6d54533dd03f

[Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

f48b2913-1dc5-4834-8c72-ccc1dfd819bb

[Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

a030a57e-4639-4e8f-ade9-a92f33afe7ee

[Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

144f1397-32f9-4598-8c88-118decc3ccba

[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

e6ebf138-3d71-4935-a13b-9c7fdddd94df

Audit Windows machines on which the specified services are not installed and 'Running'

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

9328f27e-611e-44a7-a244-39109d7d35ab

[Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Key Vault

a3a6ea0c-e018-4933-9ef0-5aaa1501449b

Azure Key Vault should have firewall enabled or public network access disabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Security Center

[Deprecated]: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring

Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

84662df4-0e37-44a6-9ce1-c9d2150db18c

Audit Windows machines that are not joined to the specified domain

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

d38b4c26-9d2e-47d7-aefe-18d859a8706a

[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant

This policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

Audit Linux machines that do not have the passwd file permissions set to 0644

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

726671ac-c4de-4908-8c7d-6043ae62e3b6

Audit Linux machines that allow remote connections from accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords

This policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Security Center

6646a0bd-e110-40ca-bb97-84fcee63c414

[Deprecated]: Service principals should be used to protect your subscriptions instead of management certificates

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

24dde96d-f0b1-425e-884f-4a1421e2dcdc

[Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f

[Deprecated]: Show audit results from Linux VMs that have accounts without passwords

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

Audit Windows machines that have the specified members in the Administrators group

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7

Audit Windows machines missing any of specified members in the Administrators group

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter.

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

Audit Linux machines that have accounts without passwords

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

5bb36dda-8a78-4df9-affd-4f05a8612a8a

[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

16390df4-2f73-4b42-af13-c801066763df

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day

This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

b821191b-3a12-44bc-9c38-212138a29ff3

[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

356a906e-05e5-4625-8729-90771e0ee934

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days

This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

7227ebe5-9ff7-47ab-b823-171cd02fb90f

[Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

58c460e9-7573-4bb2-9676-339c2f2486bb

Audit Windows machines on which Windows Serial Console is not enabled

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

ebb67efd-3c46-49b0-adfe-5599eb944998

Audit Windows machines that don't have the specified applications installed

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

7e56b49b-5990-4159-a734-511ea19b731c

Windows machines should be configured to use secure communication protocols

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs that have the specified applications installed

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

5b842acb-0fe7-41b0-9f40-880ec4ad84d8

[Deprecated]: Show audit results from Linux VMs that have the specified applications installed

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

c5b85cba-6e6f-4de4-95e1-f0233cd712ac

Audit Windows machines that have the specified applications installed

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

cdbf72d9-ac9c-4026-8a3a-491a5ac59293

[Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

934345e1-4dfb-4c70-90d7-41990dc9608b

Audit Windows machines that do not contain the specified certificates in Trusted Root

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

c5fbc59e-fb6f-494f-81e2-d99a671bdaa8

[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days

This policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

315c850a-272d-4502-8935-b79010405970

[Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain

This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

6265018c-d7e2-432f-a75d-094d5f6f4465

Audit Windows machines on which the Log Analytics agent is not connected as expected

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Key Vault

[Deprecated]: Private endpoint should be configured for Key Vault

The policy 5f0bc445-3935-4915-9981-011aa2b46147 has been deprecated as it has been replaced by newer policy a6abeaec-4d90-4a02-805f-6b26c4d3fbe9

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd

[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

Audit Windows machines on which the DSC configuration is not compliant

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

5e393799-e3ca-4e43-a9a5-0ec4648a57d9

[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs that do not have the specified applications installed

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

7e84ba44-6d03-46fd-950e-5efa5a1112fa

[Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled

This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Security Center

d62cfe2b-3ab0-4d41-980d-76803b58ca65

[Deprecated]: Log Analytics agent health issues should be resolved on your machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Security Center

5a913c68-0590-402c-a531-e57e19379da3

[Deprecated]: Operating system version should be the most current version for your cloud service roles

Keeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

68511db2-bd02-41c4-ae6b-1900a012968a

[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected

This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

beb6ccee-b6b8-4e91-9801-a5fa4260a104

Audit Windows machines that have not restarted within the specified number of days

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

3d2a3320-2a72-4c67-ac5f-caa40fbee2b2

Audit Windows machines that have extra accounts in the Administrators group

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter.

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

237b38db-ca4d-4259-9e47-7882441ca2c0

Audit Windows machines that do not have the minimum password age set to specified number of days

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

7a031c68-d6ab-406e-a506-697a19c634b0

[Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled

This policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

106ccbe4-a791-4f33-a44a-06796944b8d5

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root

This policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

2d60d3b7-aa10-454c-88a8-de39d99d17c6

[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a

[Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

c21f7060-c148-41cf-a68b-0ab3e14c764c

[Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone

This policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

4221adbc-5c0f-474f-88b7-037a99e6114c

Audit Windows VMs with a pending reboot

Fixed
auditIfNotExists

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

f4b245d4-46c9-42be-9b1a-49e2b5b94194

[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days

This policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Security Center

a4fe33eb-e377-4efb-ab31-0784311bc499

[Deprecated]: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring

This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

d7ccd0ca-8d78-42af-a43d-6b7f928accbc

[Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

02a84be7-c304-421f-9bb7-5d2c26af54ad

[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

bf16e0bb-31e1-4646-8202-60a235cc7e74

Audit Windows machines that do not have the password complexity setting enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

5aa11bbc-5c76-4302-80e5-aba46a4282e7

[Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

Guest Configuration

884b209a-963b-4520-8006-d20cb3c213e0

[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed

Fixed
deployIfNotExists

change

new Policy

2020-09-09 11:24:03

BuiltIn

App Service

ab965db2-d2bf-4b64-8b39-c38ec8179461

[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app

PHP cannot be used with Function apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

App Service

843664e0-7563-41ee-a9cb-7522c382d2c4

[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app

This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Key Vault

10c1859c-e1a7-4df3-ab97-a487fa8059f6

Certificates should be issued by the specified integrated certificate authority

Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

App Service

[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App

This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Key Vault

aa81768c-cb87-4ce2-bfaa-00baa10d760c

Certificates should not expire within the specified number of days

Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

App Service

[Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App

This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

App Service

c2e7ca55-f62c-49b2-89a4-d41eb661d2f0

[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app

This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Key Vault

Certificates should have the specified lifetime action triggers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Key Vault

Certificates using RSA cryptography should have the specified minimum key size

Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Key Vault

Certificates should have the specified maximum validity period

Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Key Vault

Certificates should use allowed key types

Manage your organizational compliance requirements by restricting the key types allowed for certificates.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Key Vault

86d97760-d216-4d81-a3ad-163087b2b6c3

Certificates using elliptic curve cryptography should have allowed curve names

Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

App Service

[Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app

This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Cognitive Services

f0473e7a-a1ba-4e86-afb2-e829e11b01d8

Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)

Default
Audit
Allowed
Audit, Deny, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

App Service

[Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App

This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Security Center

501541f7-f7e7-4cd6-868c-4190fdad3ac9

A vulnerability assessment solution should be enabled on your virtual machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Key Vault

Certificates should be issued by the specified non-integrated certificate authority

Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-09-02 14:03:46

BuiltIn

Guest Configuration

3e4e2bd5-15a2-4628-b3e1-58977e9793f3

Linux machines should meet requirements for the Azure compute security baseline

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-09-02 14:03:46

BuiltIn

84ce0900-69cd-4b5e-b676-0b5a66d027c9

n/a

remove

84ce0900-69cd-4b5e-b676-0b5a66d027c9

2020-08-31 13:45:20 (i)

BuiltIn

Guest Configuration

Audit Windows machines that do not have the specified Windows PowerShell modules installed

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-27 15:39:26

BuiltIn

Guest Configuration

e0efc13a-122a-47c5-b817-2ccfe5d12615

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy

This policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-27 15:39:26

BuiltIn

84ce0900-69cd-4b5e-b676-0b5a66d027c9

Fixed

add

new Policy

2020-08-27 15:39:26

BuiltIn

Network

0db34a60-64f4-4bf6-bd44-f95c16cf34b9

Deploy a flow log resource with target network security group

Fixed
deployIfNotExists

add

new Policy

2020-08-27 15:39:26

BuiltIn

Guest Configuration

90ba2ee7-4ca8-4673-84d1-c851c50d3baf

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed

This policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-27 15:39:26

BuiltIn

Guest Configuration

Audit Windows machines that do not have the specified Windows PowerShell execution policy

Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-27 15:39:26

BuiltIn

Machine Learning

Azure Machine Learning workspaces should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-08-27 15:39:26

BuiltIn

Storage

f8036bd0-c10b-4931-86bb-94a878add855

Storage account public access should be disallowed

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-08-27 15:39:26

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-27 15:39:26

BuiltIn

Machine Learning

16f9b37c-4408-4c30-bc17-254958f2e2d6

[Deprecated]: Azure Machine Learning workspaces should use private link

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-08-27 15:39:26

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-27 15:39:26

BuiltIn

Network

c251913d-7d24-4958-af87-478ed3b9ba41

Flow logs should be configured for every network security group

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-08-27 15:39:26

BuiltIn

Guest Configuration

1f8c20ce-3414-4496-8b26-0e902a1541da

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

620e58b5-ac75-49b4-993f-a9d4f0459636

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

d472d2c9-d6a3-4500-9f5f-b15f123005aa

Windows machines should meet requirements for 'Security Options - Interactive Logon'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

e068b215-0026-4354-b347-8fb2766f73a2

Windows machines should meet requirements for 'User Rights Assignment'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

f8b0158d-4766-490f-bea0-259e52dba473

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

e3d95ab7-f47a-49d8-a347-784177b6c94c

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

a9a33475-481d-4b81-9116-0bf02ffe67e8

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

60aeaf73-a074-417a-905f-7ce9df0ff77b

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

909c958d-1b99-4c74-b88f-46a5c5bc34f9

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

2a7a701e-dff3-4da9-9ec5-42cb98594c0b

Windows machines should meet requirements for 'System Audit Policies - Policy Change'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

3aa2661b-02d7-4ba6-99bc-dc36b10489fd

Windows machines should meet requirements for 'Administrative Templates - Control Panel'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

f71be03e-e25b-4d0f-b8bc-9b3e309b66c0

Windows machines should meet requirements for 'Security Options - Recovery console'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

86880e5c-df35-43c5-95ad-7e120635775e

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

35d9882c-993d-44e6-87d2-db66ce21b636

Windows machines should meet requirements for 'Windows Firewall Properties'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

c1e289c0-ffad-475d-a924-adc058765d65

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

c961dac9-5916-42e8-8fb1-703148323994

[Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

ba12366f-f9a6-42b8-9d98-157d0b1a837b

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

7040a231-fb65-4412-8c0a-b365f4866c24

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

97646672-5efa-4622-9b54-740270ad60bf

[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

225e937e-d32e-4713-ab74-13ce95b3519a

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

f56a3ab2-89d1-44de-ac0d-2ada5962e22a

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

1221c620-d201-468c-81e7-2817e6107e84

Windows machines should meet requirements for 'Security Options - Network Security'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

35781875-8026-4628-b19b-f6efb4d88a1d

Windows machines should meet requirements for 'System Audit Policies - Object Access'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

36e17963-7202-494a-80c3-f508211c826b

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

f2143251-70de-4e81-87a8-36cee5a2f29d

Windows machines should meet requirements for 'Security Settings - Account Policies'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

492a29ed-d143-4f03-b6a4-705ce081b463

Windows machines should meet requirements for 'Security Options - User Account Control'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

c8abcef9-fc26-482f-b8db-5fa60ee4586d

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

8794ff4f-1a35-4e18-938f-0b22055067cd

Windows machines should meet requirements for 'Security Options - Devices'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

2f262ace-812a-4fd0-b731-b38ba9e9708d

Windows machines should meet requirements for 'Security Options - System objects'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

985285b7-b97a-419c-8d48-c88cc934c8d8

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

b872a447-cc6f-43b9-bccf-45703cd81607

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

19be9779-c776-4dfa-8a15-a2fd5dc843d6

Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

6fe4ef56-7576-4dc4-8e9c-26bad4b087ce

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

5c028d2a-1889-45f6-b821-31f42711ced8

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

87b590fe-4a1d-4697-ae74-d4fe72ab786c

[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

fcbc55c9-f25a-4e55-a6cb-33acb3be778b

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

b3802d79-dd88-4bce-b81d-780218e48280

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

8537fe96-8cbe-43de-b0ef-131bc72bc22a

Windows machines should meet requirements for 'Windows Components'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

40917425-69db-4018-8dae-2a0556cef899

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

94d9aca8-3757-46df-aa51-f218c5f11954

Windows machines should meet requirements for 'System Audit Policies - Account Management'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

3d7b154e-2700-4c8c-9e46-cb65ac1578c2

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

58383b73-94a9-4414-b382-4146eb02611b

Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

8e170edb-e0f5-497a-bb36-48b3280cec6a

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

3750712b-43d0-478e-9966-d2c26f6141b9

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

e5b81f87-9185-4224-bf00-9f505e9f89f3

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

43bb60fe-1d7e-4b82-9e93-496bfc99e7d5

Windows machines should meet requirements for 'System Audit Policies - Account Logon'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

caf2d518-f029-4f6b-833b-d7081702f253

Windows machines should meet requirements for 'Security Options - Microsoft Network Server'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

87845465-c458-45f3-af66-dcd62176f397

Windows machines should meet requirements for 'System Audit Policies - Privilege Use'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

437a1f8f-8552-47a8-8b12-a2fee3269dd5

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

ce2370f6-0ac5-4d85-8ab4-10721cc640b0

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd

Windows machines should meet requirements for 'Security Options - Network Access'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

bc87d811-4a9b-47cc-ae54-0a41abda7768

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

e0a7e899-2ce2-4253-8a13-d808fdeb75af

Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

a1e8dda3-9fd2-4835-aec3-0e55531fde33

[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

0a9991e6-21be-49f9-8916-a06d934bcf29

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

33936777-f2ac-45aa-82ec-07958ec9ade4

Windows machines should meet requirements for 'Security Options - Audit'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

29829ec2-489d-4925-81b7-bda06b1718e0

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

498b810c-59cd-4222-9338-352ba146ccf3

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

c04255ee-1b9f-42c1-abaa-bf1553f79930

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

6481cc21-ed6e-4480-99dd-ea7c5222e897

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

21e2995e-683e-497a-9e81-2f42ad07050a

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

815dcc9f-6662-43f2-9a03-1b83e9876f24

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

b4a4d1eb-0263-441b-84cb-a44073d8372d

Windows machines should meet requirements for 'Security Options - Shutdown'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

97b595c8-fd10-400e-8543-28e2b9138b13

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

8bbd627e-4d25-4906-9a6e-3789780af3ec

[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

12ae2d24-3805-4b37-9fa9-465968bfbcfa

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

ddb53c61-9db4-41d4-a953-2abff5b66c12

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

12017595-5a75-4bb1-9d97-4c2c939ea3c3

Windows machines should meet requirements for 'Security Options - System settings'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

dd4680ed-0559-4a6a-ad10-081d14cbb484

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

bbcdd8fa-b600-4ee3-85b8-d184e3339652

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

7066131b-61a6-4917-a7e4-72e8983f0aa6

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

ec7ac234-2af5-4729-94d2-c557c071799d

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

8316fa92-d69c-4810-8124-62414f560dcf

Windows machines should meet requirements for 'System Audit Policies - System'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

968410dc-5ca0-4518-8a5b-7b55f0530ea9

Windows machines should meet requirements for 'Administrative Templates - System'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

42a07bbf-ffcf-459a-b4b1-30ecd118a505

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

30040dab-4e75-4456-8273-14b8f75d91d9

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

67e010c1-640d-438e-a3a5-feaccb533a98

Windows machines should meet requirements for 'Administrative Templates - Network'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

d6c69680-54f0-4349-af10-94dd05f4225e

Windows machines should meet requirements for 'Security Options - Microsoft Network Client'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

e3a77a94-cf41-4ee8-b45c-98be28841c03

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

9178b430-2295-406e-bb28-f6a7a2a2f897

[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

7229bd6a-693d-478a-87f0-1dc1af06f3b8

[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

8a39d1f1-5513-4628-b261-f469a5a3341b

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

e425e402-a050-45e5-b010-bd3f934589fc

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-08-20 14:05:01

BuiltIn

Guest Configuration

ee984370-154a-4ee8-9726-19d900e56fc0

Windows machines should meet requirements for 'Security Options - Accounts'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-20 14:05:01

BuiltIn

Security Center

fb893a29-21bb-418c-a157-e99480ec364c

[Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys)

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-19 13:49:29

BuiltIn

Security Center

Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version

Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+

Default
Audit
Allowed
Audit, Disabled

change

new Policy

2020-08-19 13:49:29

BuiltIn

Security Center

0e246bcf-5f6f-4f87-bc6f-775d4712c7ea

Authorized IP ranges should be defined on Kubernetes Services

Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.

Default
Audit
Allowed
Audit, Disabled

change

new Policy

2020-08-19 13:49:29

BuiltIn

App Platform

af35e2a4-ef96-44e7-a9ae-853dd97032c4

Azure Spring Cloud should use network injection

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2020-08-19 13:49:29

BuiltIn

Security Center

Role-Based Access Control (RBAC) should be used on Kubernetes Services

Default
Audit
Allowed
Audit, Disabled

change

new Policy

2020-08-19 13:49:29

BuiltIn

Storage

6edd7eda-6dd8-40f7-810d-67160c639cd9

Storage accounts should use customer-managed key for encryption

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-08-18 14:06:57

BuiltIn

Storage

Storage accounts should use private link

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-08-18 14:06:57

BuiltIn

Storage

2a1a9cdf-e04d-429a-8416-3bfb72a1b26f

Storage accounts should restrict network access using virtual network rules

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-08-18 14:06:57

BuiltIn

Guest Configuration

aeb23562-188d-47cb-80b8-551f16ef9fff

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

Fixed
modify

change

new Policy

2020-08-05 13:05:29

BuiltIn

SQL

[Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings

Audit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-08-05 13:05:29

BuiltIn

App Configuration

967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1

App Configuration should use a customer-managed key

Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements.

Default
Audit
Allowed
Audit, Deny, Disabled

change

new Policy

2020-08-05 13:05:29

BuiltIn

SQL

3965c43d-b5f4-482e-b74a-d89ee0e0b3a8

[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts

Ensure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-08-05 13:05:29

BuiltIn

Guest Configuration

c8343d2f-fdc9-4a97-b76f-fc71d1163bfc

Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs

Fixed
deployIfNotExists

change

new Policy

2020-08-05 13:05:29

BuiltIn

SQL

[Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings

Audit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-08-05 13:05:29

BuiltIn

Guest Configuration

Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

Fixed
deployIfNotExists

change

new Policy

2020-08-05 13:05:29

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.

Fixed
deployIfNotExists

change

new Policy

2020-07-17 15:57:10

BuiltIn

Guest Configuration

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

Fixed
modify

add

new Policy

2020-07-17 15:57:10

BuiltIn

Guest Configuration

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities

Fixed
modify

add

new Policy

2020-07-17 15:57:10

BuiltIn

Guest Configuration

501541f7-f7e7-4cd6-868c-4190fdad3ac9

[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.

This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol.

Fixed
deployIfNotExists

change

new Policy

2020-07-17 15:57:10

BuiltIn

Security Center

A vulnerability assessment solution should be enabled on your virtual machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-14 15:28:17

BuiltIn

Security Center

[Deprecated]: Allowlist rules in your adaptive application control policy should be updated

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-14 15:28:17

BuiltIn

Security Center

523b5cd1-3e23-492f-a539-13118b6d1e3a

[Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-14 15:28:17

BuiltIn

Security Center

[Deprecated]: Azure Defender for Kubernetes should be enabled

Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-14 15:28:17

BuiltIn

Security Center

c25d9a16-bc35-4e15-a7e5-9db606bf9ed4

[Deprecated]: Azure Defender for container registries should be enabled

Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-14 15:28:17

BuiltIn

Security Center

6581d072-105e-4418-827f-bd446d56421b

Azure Defender for SQL servers on machines should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-14 15:28:17

BuiltIn

Security Center

2913021d-f2fd-4f3d-b958-22354e2bdbcb

[Deprecated]: Microsoft Defender for Storage (Classic) should be enabled

Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-14 15:28:17

BuiltIn

Security Center

Azure Defender for App Service should be enabled

Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-14 15:28:17

BuiltIn

Security Center

0e6763cc-5078-4e64-889d-ff4d9a839047

Azure Defender for Key Vault should be enabled

Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-14 15:28:17

BuiltIn

SQL

a8793640-60f7-487c-b5c3-1d37215905c4

SQL Managed Instance should have the minimal TLS version of 1.2

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-07-14 15:28:17

BuiltIn

SQL

32e6bbec-16b6-44c2-be37-c5b672d103cf

Azure SQL Database should be running TLS version 1.2 or newer

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2020-07-14 15:28:17

BuiltIn

Network

be7ed5c8-2660-4136-8216-e6f3412ba909

[Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway

Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources.

Default
Deny
Allowed
Audit, Deny, Disabled

change

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes cluster pod FlexVolume volumes should only use allowed drivers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes cluster pods should only use allowed volume types

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes cluster containers should run with a read only root file system

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes clusters should not allow container privilege escalation

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed capabilities

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed AppArmor profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes cluster containers should not use forbidden sysctl interfaces

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes cluster pods should only use approved host network and port range

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

SQL

f6b68e5a-7207-4638-a1fb-47d90404209e

Private endpoint connections on Azure SQL Database should be enabled

Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.

Default
Audit
Allowed
Audit, Disabled

change

new Policy

2020-07-08 14:28:08

BuiltIn

Network

[Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service

Mandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group.

Default
Deny
Allowed
Audit, Deny, Disabled

change

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

425bea59-a659-4cbb-8d31-34499bd030b8

Kubernetes cluster containers should only use allowed ProcMountType

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Network

Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service

Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

055aa869-bc98-4af8-bafc-23f1ab6ffe2c

Kubernetes cluster pod hostPath volumes should only use allowed host paths

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Network

Azure Web Application Firewall should be enabled for Azure Front Door entry-points

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Network

564feb30-bf6a-4854-b4bb-0d2d2d1e6c66

Web Application Firewall (WAF) should be enabled for Application Gateway

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed seccomp profiles

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only use allowed SELinux options

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

SQL

Public network access on Azure SQL Database should be disabled

Default
Audit
Allowed
Audit, Deny, Disabled

change

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

Kubernetes cluster pods and containers should only run with approved user and group IDs

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Kubernetes

12430be1-6cc8-4527-a9a8-e3d38f250096

Kubernetes cluster containers should not share host process ID or host IPC namespace

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

Network

Web Application Firewall (WAF) should use the specified mode for Application Gateway

Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-07-08 14:28:08

BuiltIn

SQL

77e8b146-0078-4fb2-b002-e112381199f0

Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet

Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary.

Fixed
AuditIfNotExists

add

new Policy

2020-07-08 14:28:08

BuiltIn

SQL

3965c43d-b5f4-482e-b74a-d89ee0e0b3a8

[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-01 14:50:07

BuiltIn

SQL

e756b945-1b1b-480b-8de8-9a0859d5f7ad

Public network access on Azure SQL Database should be disabled

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-07-01 14:50:07

BuiltIn

SQL

[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings

It is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-01 14:50:07

BuiltIn

SQL

c8343d2f-fdc9-4a97-b76f-fc71d1163bfc

[Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-01 14:50:07

BuiltIn

SignalR

9677b740-f641-4f3c-b9c5-466005c85278

[Deprecated]: Azure SignalR Service should use private link

The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead.

Default
Audit
Allowed
Audit, Deny, Disabled

change

new Policy

2020-07-01 14:50:07

BuiltIn

SQL

[Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts

Ensure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-01 14:50:07

BuiltIn

SQL

bda18df3-5e41-4709-add9-2554ce68c966

Private endpoint connections on Azure SQL Database should be enabled

Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-07-01 14:50:07

BuiltIn

SQL

[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings

It's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-01 14:50:07

BuiltIn

SQL

aeb23562-188d-47cb-80b8-551f16ef9fff

[Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-07-01 14:50:07

BuiltIn

VM Image Builder

2154edb9-244f-4741-9970-660785bccdaa

VM Image Builder templates should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet.

Default
Audit
Allowed
Audit, Disabled, Deny

add

new Policy

2020-07-01 14:50:07

BuiltIn

Guest Configuration

5fc23db3-dd4d-4c56-bcc7-43626243e601

[Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-06-30 14:58:19

BuiltIn

497dff13-db2a-4c0f-8603-28fa3b331ab6

n/a

remove

497dff13-db2a-4c0f-8603-28fa3b331ab6

2020-06-29 05:46:45 (i)

BuiltIn

3cf2ab00-13f1-4d0c-8971-2ac904541a7e

n/a

remove

3cf2ab00-13f1-4d0c-8971-2ac904541a7e

2020-06-29 05:46:45 (i)

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.

Fixed
deployIfNotExists

change

new Policy

2020-06-29 05:46:45

BuiltIn

Guest Configuration

7fe3b40f-802b-4cdd-8bd4-fd799c948cc2

[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.

Fixed
deployIfNotExists

change

new Policy

2020-06-29 05:46:45

BuiltIn

Security Center

Azure Defender for Azure SQL Database servers should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Security Center

523b5cd1-3e23-492f-a539-13118b6d1e3a

[Deprecated]: Azure Defender for Kubernetes should be enabled

Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Security Center

0e6763cc-5078-4e64-889d-ff4d9a839047

Azure Defender for Key Vault should be enabled

Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.

Fixed
deployIfNotExists

change

new Policy

2020-06-23 16:03:25

BuiltIn

Machine Learning

[Preview]: Configure code signing for training code for specified Azure Machine Learning computes

Provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Cosmos DB

4da35fc9-c9e7-4960-aec9-797fe7d9051d

Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Security Center

Azure Defender for servers should be enabled

Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Security Center

c25d9a16-bc35-4e15-a7e5-9db606bf9ed4

[Deprecated]: Azure Defender for container registries should be enabled

Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Guest Configuration

Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity

Fixed
modify

add

new Policy

2020-06-23 16:03:25

BuiltIn

Guest Configuration

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities

Fixed
modify

add

new Policy

2020-06-23 16:03:25

BuiltIn

Guest Configuration

Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

Fixed
deployIfNotExists

add

new Policy

2020-06-23 16:03:25

BuiltIn

Guest Configuration

0a15ec92-a229-4763-bb14-0ea34a568f8d

[Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Kubernetes

Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Security Center

2913021d-f2fd-4f3d-b958-22354e2bdbcb

[Deprecated]: Microsoft Defender for Storage (Classic) should be enabled

Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Security Center

Azure Defender for App Service should be enabled

Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Guest Configuration

Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs

Fixed
deployIfNotExists

add

new Policy

2020-06-23 16:03:25

BuiltIn

Cosmos DB

6581d072-105e-4418-827f-bd446d56421b

Azure Cosmos DB accounts should have firewall rules

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Security Center

Azure Defender for SQL servers on machines should be enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Guest Configuration

0fea8f8a-4169-495d-8307-30ec335f387d

[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.

Fixed
deployIfNotExists

change

new Policy

2020-06-23 16:03:25

BuiltIn

API for FHIR

CORS should not allow every domain to access your API for FHIR

Default
Audit
Allowed
audit, Audit, disabled, Disabled

add

new Policy

2020-06-23 16:03:25

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machines

Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed.

Fixed
deployIfNotExists

change

new Policy

2020-06-22 16:06:25

BuiltIn

Monitoring

f6b68e5a-7207-4638-a1fb-47d90404209e

Deploy - Configure Dependency agent to be enabled on Windows virtual machines

Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-06-22 16:06:25

BuiltIn

Network

[Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2020-06-11 19:46:04

BuiltIn

Network

be7ed5c8-2660-4136-8216-e6f3412ba909

[Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway

Requires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources.

Default
Deny
Allowed
Audit, Deny, Disabled

add

new Policy

2020-06-11 19:46:04

BuiltIn

Guest Configuration

a9a33475-481d-4b81-9116-0bf02ffe67e8

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

ba12366f-f9a6-42b8-9d98-157d0b1a837b

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

5aebc8d1-020d-4037-89a0-02043a7524ec

[Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

23020aa6-1135-4be2-bae2-149982b06eca

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

7066131b-61a6-4917-a7e4-72e8983f0aa6

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

86880e5c-df35-43c5-95ad-7e120635775e

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

f56a3ab2-89d1-44de-ac0d-2ada5962e22a

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Cognitive Services

2bdd0062-9d75-436e-89df-487dd8e4b3c7

[Deprecated]: Cognitive Services accounts should disable public network access

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2020-06-09 16:25:53

BuiltIn

Cognitive Services

[Deprecated]: Cognitive Services accounts should enable data encryption

This policy is deprecated. Cognitive Services have data encryption enforced.

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

d38b4c26-9d2e-47d7-aefe-18d859a8706a

[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Security Center

bb91dfba-c30d-4263-9add-9c2384e659a6

Non-internet-facing virtual machines should be protected with network security groups

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-09 16:25:53

BuiltIn

SignalR

7227ebe5-9ff7-47ab-b823-171cd02fb90f

[Deprecated]: Azure SignalR Service should use private link

The policy is deprecated. Please use /providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234 instead.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliant

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

f3b9ad83-000d-4dc1-bff0-6d54533dd03f

[Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

a030a57e-4639-4e8f-ade9-a92f33afe7ee

[Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

97646672-5efa-4622-9b54-740270ad60bf

[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

2d60d3b7-aa10-454c-88a8-de39d99d17c6

[Deprecated]: Show audit results from Linux VMs that have accounts without passwords

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryption

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

437a1f8f-8552-47a8-8b12-a2fee3269dd5

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

7040a231-fb65-4412-8c0a-b365f4866c24

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

02a84be7-c304-421f-9bb7-5d2c26af54ad

[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified one

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

9328f27e-611e-44a7-a244-39109d7d35ab

[Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

f48b2913-1dc5-4834-8c72-ccc1dfd819bb

[Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabled

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

c5fbc59e-fb6f-494f-81e2-d99a671bdaa8

[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

12ae2d24-3805-4b37-9fa9-465968bfbcfa

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

c961dac9-5916-42e8-8fb1-703148323994

[Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

c1e289c0-ffad-475d-a924-adc058765d65

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

68511db2-bd02-41c4-ae6b-1900a012968a

[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

f4b245d4-46c9-42be-9b1a-49e2b5b94194

[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Cognitive Services

46aa9b05-0e60-4eae-a88b-1e9d374fa515

Cognitive Services accounts should use customer owned storage

Use customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

620e58b5-ac75-49b4-993f-a9d4f0459636

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

f8b0158d-4766-490f-bea0-259e52dba473

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

a1e8dda3-9fd2-4835-aec3-0e55531fde33

[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

bbcdd8fa-b600-4ee3-85b8-d184e3339652

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

6481cc21-ed6e-4480-99dd-ea7c5222e897

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

8a39d1f1-5513-4628-b261-f469a5a3341b

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

7e84ba44-6d03-46fd-950e-5efa5a1112fa

[Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of days

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

726671ac-c4de-4908-8c7d-6043ae62e3b6

[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

29829ec2-489d-4925-81b7-bda06b1718e0

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

8bbd627e-4d25-4906-9a6e-3789780af3ec

[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

815dcc9f-6662-43f2-9a03-1b83e9876f24

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Kubernetes

1d61c4d2-aef2-432b-87fc-7f96b019b7e1

Configure Kubernetes clusters with specified GitOps configuration using no secrets

Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

add

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

225e937e-d32e-4713-ab74-13ce95b3519a

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

cdbf72d9-ac9c-4026-8a3a-491a5ac59293

[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

5bb36dda-8a78-4df9-affd-4f05a8612a8a

[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

3750712b-43d0-478e-9966-d2c26f6141b9

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

9178b430-2295-406e-bb28-f6a7a2a2f897

[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

40917425-69db-4018-8dae-2a0556cef899

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

21e2995e-683e-497a-9e81-2f42ad07050a

[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwords

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

5aa11bbc-5c76-4302-80e5-aba46a4282e7

[Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 day

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

909c958d-1b99-4c74-b88f-46a5c5bc34f9

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

ddb53c61-9db4-41d4-a953-2abff5b66c12

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

5c028d2a-1889-45f6-b821-31f42711ced8

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c

Authentication to Linux machines should require SSH keys

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

42a07bbf-ffcf-459a-b4b1-30ecd118a505

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

7229bd6a-693d-478a-87f0-1dc1af06f3b8

[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

498b810c-59cd-4222-9338-352ba146ccf3

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

1f8c20ce-3414-4496-8b26-0e902a1541da

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

b872a447-cc6f-43b9-bccf-45703cd81607

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

97b595c8-fd10-400e-8543-28e2b9138b13

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

6fe4ef56-7576-4dc4-8e9c-26bad4b087ce

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

24dde96d-f0b1-425e-884f-4a1421e2dcdc

[Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 days

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

8e170edb-e0f5-497a-bb36-48b3280cec6a

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

e425e402-a050-45e5-b010-bd3f934589fc

[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

ec7ac234-2af5-4729-94d2-c557c071799d

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

3d7b154e-2700-4c8c-9e46-cb65ac1578c2

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

b3802d79-dd88-4bce-b81d-780218e48280

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

0a9991e6-21be-49f9-8916-a06d934bcf29

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

16390df4-2f73-4b42-af13-c801066763df

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

87b590fe-4a1d-4697-ae74-d4fe72ab786c

[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Cognitive Services

11566b39-f7f7-4b82-ab06-68d8700eb0a4

[Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption.

This policy is deprecated. Cognitive Services have data encryption enforced.

Default
Disabled
Allowed
Audit, Deny, Disabled

add

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

30040dab-4e75-4456-8273-14b8f75d91d9

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

8ff0b18b-262e-4512-857a-48ad0aeb9a78

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

e5b81f87-9185-4224-bf00-9f505e9f89f3

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

60aeaf73-a074-417a-905f-7ce9df0ff77b

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

356a906e-05e5-4625-8729-90771e0ee934

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

ce2370f6-0ac5-4d85-8ab4-10721cc640b0

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

985285b7-b97a-419c-8d48-c88cc934c8d8

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

106ccbe4-a791-4f33-a44a-06796944b8d5

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

c8abcef9-fc26-482f-b8db-5fa60ee4586d

[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8

[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Cognitive Services

dd4680ed-0559-4a6a-ad10-081d14cbb484

Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

e3a77a94-cf41-4ee8-b45c-98be28841c03

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

36e17963-7202-494a-80c3-f508211c826b

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

fcbc55c9-f25a-4e55-a6cb-33acb3be778b

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

e3d95ab7-f47a-49d8-a347-784177b6c94c

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

bc87d811-4a9b-47cc-ae54-0a41abda7768

[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

c04255ee-1b9f-42c1-abaa-bf1553f79930

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

Guest Configuration

abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9

[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords

Fixed
deployIfNotExists

change

new Policy

2020-06-09 16:25:53

BuiltIn

SQL

Azure Defender for SQL should be enabled for unprotected SQL Managed Instances

Audit each SQL Managed Instance without advanced data security.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-06-08 18:42:36

BuiltIn

Security Center

a7aca53f-2ed4-4466-a25e-0b45ade68efd

Azure DDoS Protection should be enabled

DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-06-08 18:42:36

BuiltIn

Security Center

1b7aa243-30e4-4c9e-bca8-d0d3022b634a

[Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-06-08 18:42:36

BuiltIn

SQL

Vulnerability assessment should be enabled on SQL Managed Instance

Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-06-08 18:42:36

BuiltIn

Kubernetes service

7ce7ac02-a5c6-45d6-8d1b-844feb1c1531

[Deprecated]: Do not allow privileged containers in AKS

This policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Cache

22bee202-a82f-4305-9a2a-6d7f44d4dedb

Only secure connections to your Azure Cache for Redis should be enabled

Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking

Default
Audit
Allowed
Audit, Deny, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Kubernetes service

a74d8f00-2fd9-4ce4-968e-0ee1eb821698

[Deprecated]: Enforce internal load balancers in AKS

This policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Kubernetes service

a2d3ed81-8d11-4079-80a5-1faadc0024f4

[Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS

This policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Kubernetes service

2fbff515-eecc-4b7e-9b63-fcc7138b7dc3

[Deprecated]: Enforce HTTPS ingress in AKS

This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Kubernetes service

16c6ca72-89d2-4798-b87e-496f9de7fcb7

[Deprecated]: Enforce labels on pods in AKS

This policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Security Center

bd352bd5-2853-4985-bf0d-73806b4a5744

IP Forwarding on your virtual machine should be disabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Kubernetes service

d011d9f7-ba32-4005-b727-b3d09371ca60

[Deprecated]: Enforce unique ingress hostnames across namespaces in AKS

This policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Security Center

b0f33259-77d7-4c9e-aac6-3aabcfae693c

Management ports of virtual machines should be protected with just-in-time network access control

Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Kubernetes service

25dee3db-6ce0-4c02-ab5d-245887b24077

[Deprecated]: Ensure services listen only on allowed ports in AKS

This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Kubernetes service

5f86cb6e-c4da-441b-807c-44bd0cc14e66

[Deprecated]: Ensure only allowed container images in AKS

This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Kubernetes service

0f636243-1b1c-4d50-880f-310f6199f2cb

[Deprecated]: Ensure containers listen only on allowed ports in AKS

This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2020-06-01 18:36:18

BuiltIn

Monitoring

d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e

[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines

This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-05-29 15:39:09

BuiltIn

Security Center

Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

add

new Policy

2020-05-29 15:39:09

BuiltIn

Monitoring

Configure Dependency agent on Azure Arc enabled Linux servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2020-05-29 15:39:09

BuiltIn

Monitoring

e8eef0a8-67cf-4eb4-9386-14b0e78733d4

Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2020-05-29 15:39:09

BuiltIn

Container Registry

Container registries should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.

Default
Audit
Allowed
Audit, Disabled

change

new Policy

2020-05-29 15:39:09

BuiltIn

Security Center

9830b652-8523-49cc-b1b3-e17dce1127ca

Deploy export to Event Hub for Microsoft Defender for Cloud data

Fixed
deployIfNotExists

add

new Policy

2020-05-29 15:39:09

BuiltIn

Event Grid

Azure Event Grid domains should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-05-29 15:39:09

BuiltIn

Monitoring

842c54e8-c2f9-4d79-ae8d-38d8b8019373

[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines

This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-05-29 15:39:09

BuiltIn

Azure Ai Services

Azure AI Services resources should restrict network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-05-29 15:39:09

BuiltIn

Security Center

4750c32b-89c0-46af-bfcb-2e4541a818d5

[Deprecated]: Allowlist rules in your adaptive application control policy should be updated

Default
Disabled
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-05-29 15:39:09

BuiltIn

Cosmos DB

Azure Cosmos DB key based metadata write access should be disabled

This policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access.

Fixed
append

add

new Policy

2020-05-29 15:39:09

BuiltIn

Security Center

Deploy Workflow Automation for Microsoft Defender for Cloud alerts

Fixed
deployIfNotExists

add

new Policy

2020-05-29 15:39:09

BuiltIn

Monitoring

4b90e17e-8448-49db-875e-bd83fb6f804f

Configure Log Analytics extension on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-05-29 15:39:09

BuiltIn

Event Grid

Azure Event Grid topics should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-05-29 15:39:09

BuiltIn

Monitoring

ef619a2c-cc4d-4d03-b2ba-8c94a834d85b

Configure Dependency agent on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-05-29 15:39:09

BuiltIn

API Management

API Management services should use a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-05-29 15:39:09

BuiltIn

Container Registry

Container registries should not allow unrestricted network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

new Policy

2020-05-29 15:39:09

BuiltIn

Security Center

0b7ef78e-a035-4f23-b9bd-aff122a1b1cf

Deploy Workflow Automation for Microsoft Defender for Cloud recommendations

Fixed
deployIfNotExists

add

new Policy

2020-05-29 15:39:09

BuiltIn

Cosmos DB

Azure Cosmos DB throughput should be limited

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-05-29 15:39:09

BuiltIn

Container Registry

Container registries should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

change

new Policy

2020-05-29 15:39:09

BuiltIn

Monitoring

Configure Log Analytics extension on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2020-05-21 16:06:38

BuiltIn

Cache

8e7da0a5-0a0e-4bbc-bfc0-7773c018b616

[Deprecated]: Azure Cache for Redis should reside within a virtual network

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-05-21 16:06:38

BuiltIn

Security Center

Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.

Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2020-05-13 05:56:52

BuiltIn

Machine Learning

[Preview]: Configure allowed module authors for specified Azure Machine Learning computes

Provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

add

new Policy

2020-05-13 05:56:52

BuiltIn

Machine Learning

6df2fee6-a9ed-4fef-bced-e13be1b25f1c

[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

add

new Policy

2020-05-13 05:56:52

BuiltIn

Security Center

Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.

Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2020-05-13 05:56:52

BuiltIn

Machine Learning

[Preview]: Configure allowed registries for specified Azure Machine Learning computes

Provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

add

new Policy

2020-05-13 05:56:52

BuiltIn

Machine Learning

[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes

Default
enforceSetting
Allowed
enforceSetting, disabled

add

new Policy

2020-05-13 05:56:52

BuiltIn

Machine Learning

[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes

Provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc.

Default
enforceSetting
Allowed
enforceSetting, disabled

add

new Policy

2020-05-13 05:56:52

BuiltIn

Monitoring

cccc23c7-8427-4f53-ad12-b6a63eb452b3

Configure Dependency agent on Azure Arc enabled Windows servers

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2020-05-13 05:56:52

BuiltIn

Compute

Allowed virtual machine size SKUs

This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy.

Fixed
Deny

change

new Policy

2020-05-09 14:57:51

BuiltIn

Storage

34c877ad-507e-4c82-993e-3452a6e0ad3c

Storage accounts should restrict network access

Default
Audit
Allowed
Audit, Deny, Disabled

change

new Policy

2020-05-09 14:57:51

BuiltIn

SQL

e8eef0a8-67cf-4eb4-9386-14b0e78733d4

MySQL servers should use customer-managed keys to encrypt data at rest

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-04-28 14:50:57

BuiltIn

Container Registry

Container registries should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-04-28 14:50:57

BuiltIn

SQL

fdccbe47-f3e3-4213-ad5d-ea459b2fa077

Public network access should be disabled for MariaDB servers

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-04-28 14:50:57

BuiltIn

SQL

d9844e8a-1437-4aeb-a32c-0c992f056095

PostgreSQL servers should use customer-managed keys to encrypt data at rest

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-04-28 14:50:57

BuiltIn

SQL

Public network access should be disabled for MySQL servers

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-04-28 14:50:57

BuiltIn

SQL

Public network access should be disabled for PostgreSQL servers

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-04-28 14:50:57

BuiltIn

Kubernetes

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-04-23 15:06:19

BuiltIn

Kubernetes

[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster

This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-04-23 15:06:19

BuiltIn

Kubernetes

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-04-23 15:06:19

BuiltIn

Kubernetes

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-04-23 15:06:19

BuiltIn

Kubernetes

[Deprecated]: Kubernetes cluster containers should only listen on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-04-23 15:06:19

BuiltIn

Kubernetes

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-04-23 15:06:19

BuiltIn

Kubernetes

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-04-23 15:06:19

BuiltIn

Kubernetes

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-04-23 15:06:19

BuiltIn

Kubernetes

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2020-04-23 15:06:19

BuiltIn

Monitoring

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

f47b5582-33ec-4c5c-87c0-b010a6b2e917

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

[Deprecated]: Virtual machines should be connected to a specified workspace

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

e2dd799a-a932-4e9d-ac17-d473bc3c6c10

Deploy Log Analytics extension for Linux VMs. See deprecation notice below

Fixed
deployIfNotExists

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

[Deprecated]: Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machines

Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed.

Fixed
deployIfNotExists

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

Deploy - Configure Dependency agent to be enabled on Windows virtual machines

Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets

Fixed
deployIfNotExists

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

[Deprecated]: Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

11ac78e3-31bc-4f0c-8434-37ab963cea07

Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-04-22 04:43:16

BuiltIn

Monitoring

Dependency agent should be enabled for listed virtual machine images

Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-04-22 04:43:16

BuiltIn

Cosmos DB

0473574d-2d43-4217-aefe-941fcdf7e684

Azure Cosmos DB allowed locations

This policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2020-03-17 09:22:59

BuiltIn

Guest Configuration

fc5e4038-4584-4632-8c85-c0448d374b2c

Windows Defender Exploit Guard should be enabled on your machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-03-17 09:22:59

BuiltIn

Network

[Preview]: All Internet traffic should be routed via your deployed Azure Firewall

Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-03-17 09:22:59

BuiltIn

Guest Configuration

6a7a2bcf-f9be-4e35-9734-4f9657a70f1d

[Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled

This policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2020-03-17 09:22:59

BuiltIn

Guest Configuration

5fc23db3-dd4d-4c56-bcc7-43626243e601

[Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabled

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-03-17 09:22:59

BuiltIn

Guest Configuration

0d9b45ff-9ddd-43fc-bf59-fbd1c8423053

[Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-03-17 09:22:59

BuiltIn

Tags

1e30110a-5ceb-460c-a204-c1c3969c6d62

Require a tag and its value on resources

Enforces a required tag and its value. Does not apply to resource groups.

Fixed
deny

change

new Policy

2020-03-10 16:29:49

BuiltIn

Tags

871b6d14-10aa-478d-b590-94f262ecfa99

Require a tag on resources

Enforces existence of a tag. Does not apply to resource groups.

Fixed
deny

change

new Policy

2020-03-10 16:29:49

BuiltIn

Tags

96670d01-0a4d-4649-9c89-2d3abc0a5025

Require a tag on resource groups

Enforces existence of a tag on resource groups.

Fixed
deny

change

new Policy

2020-03-10 16:29:49

BuiltIn

Tags

9ea02ca2-71db-412d-8b00-7c7ca9fcd32d

Append a tag and its value from the resource group

Appends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc).

Fixed
append

change

new Policy

2020-03-10 16:29:49

BuiltIn

Tags

2a0e14a6-b0a6-4fab-991a-187a4f81c498

Append a tag and its value to resources

Fixed
append

change

new Policy

2020-03-10 16:29:49

BuiltIn

Tags

49c88fc8-6fd1-46fd-a676-f12d1d3a4c71

Append a tag and its value to resource groups

Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc).

Fixed
append

change

new Policy

2020-03-10 16:29:49

BuiltIn

Tags

8ce3da23-7156-49e4-b145-24f95f9dcb46

Require a tag and its value on resource groups

Enforces a required tag and its value on resource groups.

Fixed
deny

change

new Policy

2020-03-10 16:29:49

BuiltIn

Monitoring

e2dd799a-a932-4e9d-ac17-d473bc3c6c10

Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-02-29 21:43:10

BuiltIn

Monitoring

Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-02-29 21:43:10

BuiltIn

Monitoring

[Deprecated]: Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-02-29 21:43:10

BuiltIn

Monitoring

Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-02-29 21:43:10

BuiltIn

Monitoring

Deploy Dependency agent for Linux virtual machine scale sets

Fixed
deployIfNotExists

change

new Policy

2020-02-29 21:43:10

BuiltIn

Monitoring

dfbd9a64-6114-48de-a47d-90574dc2e489

[Deprecated]: Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below

Default
Disabled
Allowed
DeployIfNotExists, Disabled

change

new Policy

2020-02-29 21:43:10

BuiltIn

SQL

MariaDB server should use a virtual network service endpoint

Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-02-27 09:26:21

BuiltIn

SQL

0a1302fb-a631-4106-9753-f3d494733990

Private endpoint should be enabled for MariaDB servers

Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-02-27 09:26:21

BuiltIn

SQL

3c14b034-bcb6-4905-94e7-5b8e98a47b65

PostgreSQL server should use a virtual network service endpoint

Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-02-27 09:26:21

BuiltIn

SQL

3375856c-3824-4e0e-ae6a-79e011dd4c47

MySQL server should use a virtual network service endpoint

Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-02-27 09:26:21

BuiltIn

SQL

7595c971-233d-4bcf-bd18-596129188c49

Private endpoint should be enabled for MySQL servers

Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-02-27 09:26:21

BuiltIn

SQL

0564d078-92f5-4f97-8398-b9f58a51f70b

Private endpoint should be enabled for PostgreSQL servers

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-02-27 09:26:21

BuiltIn

Security Center

1a833ff1-d297-4a0f-9944-888428f8e0ff

[Deprecated]: Access to App Services should be restricted

Azure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-02-25 11:29:35

BuiltIn

Tags

40df99da-1232-49b1-a39a-6da8d878f469

Inherit a tag from the subscription if missing

Adds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.

Fixed
modify

add

new Policy

2020-02-20 08:25:18

BuiltIn

Tags

b27a0cbd-a167-4dfa-ae64-4337be671140

Inherit a tag from the subscription

Adds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.

Fixed
modify

add

new Policy

2020-02-20 08:25:18

BuiltIn

Security Center

201ea587-7c90-41c3-910f-c280ae01cfd6

[Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM

Azure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-02-20 08:25:18

BuiltIn

App Platform

0f2d8593-4667-4932-acca-6a9f187af109

[Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabled

Distributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-02-12 02:52:44

BuiltIn

Backup

c717fb0c-d118-4c43-ab3d-ece30ac81fb3

Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.

Fixed
deployIfNotExists

add

new Policy

2020-02-12 02:52:44

BuiltIn

Container Registry

ca610c1d-041c-4332-9d88-7ed3094967c7

Container registries should be encrypted with a customer-managed key

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-02-12 02:52:44

BuiltIn

App Configuration

App Configuration should use private link

Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-02-12 02:52:44

BuiltIn

App Configuration

967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1

App Configuration should use a customer-managed key

Customer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements.

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-02-12 02:52:44

BuiltIn

Container Registry

97646672-5efa-4622-9b54-740270ad60bf

Container registries should not allow unrestricted network access

Default
Audit
Allowed
Audit, Deny, Disabled

add

new Policy

2020-02-12 02:52:44

BuiltIn

Guest Configuration

[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'

This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
auditIfNotExists

change

new Policy

2020-02-08 03:50:24

BuiltIn

App Service

Function apps that use Java should use a specified 'Java version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-02-08 03:50:24

BuiltIn

Guest Configuration

e372f825-a257-4fb8-9175-797a8a8627d6

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'

Fixed
deployIfNotExists

change

new Policy

2020-02-08 03:50:24

BuiltIn

Network

[Deprecated]: RDP access from the Internet should be blocked

This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-01-29 21:53:30

BuiltIn

Monitoring

3b980d31-7904-4bb7-8575-5665739a8052

An activity log alert should exist for specific Security operations

This policy audits specific Security operations with no activity log alerts configured.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-01-29 21:53:30

BuiltIn

Security Center

ac076320-ddcf-4066-b451-6154267e8ad2

Enable Microsoft Defender for Cloud on your subscription

Fixed
deployIfNotExists

add

new Policy

2020-01-29 21:53:30

BuiltIn

Monitoring

b954148f-4c11-4c38-8221-be76711e194a

An activity log alert should exist for specific Administrative operations

This policy audits specific Administrative operations with no activity log alerts configured.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-01-29 21:53:30

BuiltIn

Monitoring

c5447c04-a4d7-4ba8-a263-c9ee321a6858

An activity log alert should exist for specific Policy operations

This policy audits specific Policy operations with no activity log alerts configured.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2020-01-29 21:53:30

BuiltIn

Network

2c89a2e5-7285-40fe-afe0-ae8654b92fab

[Deprecated]: SSH access from the Internet should be blocked

This policy is deprecated. This policy audits any network security rule that allows SSH access from Internet

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2020-01-29 21:53:30

BuiltIn

Security Center

a8bef009-a5c9-4d0f-90d7-6018734e8a16

[Deprecated]: Monitor unencrypted SQL databases in Azure Security Center

Unencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent Data Encryption on SQL databases should be enabled'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-01-29 05:56:46

BuiltIn

Security Center

af8051bf-258b-44e2-a2bf-165330459f9d

[Deprecated]: Monitor unaudited SQL servers in Azure Security Center

SQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: 'Auditing should be enabled on advanced data security settings on SQL Server'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-01-29 05:56:46

BuiltIn

Security Center

201ea587-7c90-41c3-910f-c280ae01cfd6

[Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines

Azure Security Center recommends NSG rules for Internet-facing VMs. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation.

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-01-10 16:39:23

BuiltIn

Security Center

[Deprecated]: Web ports should be restricted on Network Security Groups associated to your VM

Default
Disabled
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-01-10 16:39:23

BuiltIn

Security Center

f6de0be7-9a8a-4b8a-b349-43cf02d22f7c

Internet-facing virtual machines should be protected with network security groups

Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-01-10 16:39:23

BuiltIn

SQL

a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9

Auditing on SQL server should be enabled

Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2020-01-10 16:39:23

BuiltIn

Guest Configuration

0a9991e6-21be-49f9-8916-a06d934bcf29

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

36e17963-7202-494a-80c3-f508211c826b

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

f56a3ab2-89d1-44de-ac0d-2ada5962e22a

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

437a1f8f-8552-47a8-8b12-a2fee3269dd5

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

c1e289c0-ffad-475d-a924-adc058765d65

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

e5b81f87-9185-4224-bf00-9f505e9f89f3

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

6481cc21-ed6e-4480-99dd-ea7c5222e897

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

e3d95ab7-f47a-49d8-a347-784177b6c94c

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

985285b7-b97a-419c-8d48-c88cc934c8d8

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

42a07bbf-ffcf-459a-b4b1-30ecd118a505

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

40917425-69db-4018-8dae-2a0556cef899

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

3750712b-43d0-478e-9966-d2c26f6141b9

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

7040a231-fb65-4412-8c0a-b365f4866c24

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

86880e5c-df35-43c5-95ad-7e120635775e

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

97b595c8-fd10-400e-8543-28e2b9138b13

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

909c958d-1b99-4c74-b88f-46a5c5bc34f9

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

498b810c-59cd-4222-9338-352ba146ccf3

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

ce2370f6-0ac5-4d85-8ab4-10721cc640b0

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

c04255ee-1b9f-42c1-abaa-bf1553f79930

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

f8b0158d-4766-490f-bea0-259e52dba473

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

8e170edb-e0f5-497a-bb36-48b3280cec6a

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

815dcc9f-6662-43f2-9a03-1b83e9876f24

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

e425e402-a050-45e5-b010-bd3f934589fc

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

12ae2d24-3805-4b37-9fa9-465968bfbcfa

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

bbcdd8fa-b600-4ee3-85b8-d184e3339652

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'

This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

1f8c20ce-3414-4496-8b26-0e902a1541da

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

Guest Configuration

ec7ac234-2af5-4729-94d2-c557c071799d

[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'

Fixed
deployIfNotExists

change

new Policy

2019-12-17 15:43:46

BuiltIn

App Service

95bccee9-a7f8-4bec-9ee9-62c3473701fc

App Service apps should have authentication enabled

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-12-11 09:18:30

BuiltIn

App Service

c4ebc54a-46e1-481a-bee2-d4411e95d828

[Deprecated]: Authentication should be enabled on your API app

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-12-11 09:18:30

BuiltIn

Guest Configuration

fbb99e8e-e444-4da0-9ff1-75c92f5a85b2

Configure time zone on Windows machines.

This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines.

Fixed
deployIfNotExists

change

new Policy

2019-12-11 09:18:30

BuiltIn

Monitoring

Storage account containing the container with activity logs must be encrypted with BYOK

This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-12-11 09:18:30

BuiltIn

Backup

013e242c-8828-4970-87b3-ab247555486d

Azure Backup should be enabled for Virtual Machines

Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-12-11 09:18:30

BuiltIn

App Service

c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8

Function apps should have authentication enabled

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-12-11 09:18:30

BuiltIn

Monitoring

04c4380f-3fae-46e8-96c9-30193528f602

[Preview]: Network traffic data collection agent should be installed on Linux virtual machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-27 16:06:41

BuiltIn

Monitoring

2f2ee1de-44aa-4762-b6bd-0893fc3f306d

[Preview]: Network traffic data collection agent should be installed on Windows virtual machines

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-27 16:06:41

BuiltIn

Backup

Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location

Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag.

Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled

change

new Policy

2019-11-19 11:26:09

BuiltIn

Key Vault

Certificates should use allowed key types

Manage your organizational compliance requirements by restricting the key types allowed for certificates.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2019-11-19 11:26:09

BuiltIn

Key Vault

Certificates using RSA cryptography should have the specified minimum key size

Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2019-11-19 11:26:09

BuiltIn

Key Vault

Certificates should have the specified maximum validity period

Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2019-11-19 11:26:09

BuiltIn

Key Vault

Certificates should have the specified lifetime action triggers

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2019-11-19 11:26:09

BuiltIn

Key Vault

Certificates should not expire within the specified number of days

Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2019-11-19 11:26:09

BuiltIn

Key Vault

Certificates should be issued by the specified non-integrated certificate authority

Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2019-11-19 11:26:09

BuiltIn

Key Vault

Certificates should be issued by the specified integrated certificate authority

Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

change

new Policy

2019-11-19 11:26:09

BuiltIn

e567365d-4228-430f-ac39-7d5d46e617ac

n/a

remove

e567365d-4228-430f-ac39-7d5d46e617ac

2019-11-12 19:11:12 (i)

BuiltIn

App Service

Function apps that use Python should use a specified 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

d011d9f7-ba32-4005-b727-b3d09371ca60

[Deprecated]: API apps that use Python should use the latest 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

Kubernetes service

[Deprecated]: Enforce unique ingress hostnames across namespaces in AKS

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

58d94fc1-a072-47c2-bd37-9cdb38e77453

[Deprecated]: Ensure Function app is using the latest version of TLS encryption

Please use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

Kubernetes service

16c6ca72-89d2-4798-b87e-496f9de7fcb7

[Deprecated]: Enforce labels on pods in AKS

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

App Service apps should use latest 'HTTP Version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

[Deprecated]: Function apps should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

991310cd-e9f3-47bc-b7b6-f57b557d07db

Function apps that use Java should use a specified 'Java version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

[Deprecated]: Ensure that 'HTTP Version' is the latest, if used to run the API app

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

Kubernetes service

a74d8f00-2fd9-4ce4-968e-0ee1eb821698

[Deprecated]: Enforce internal load balancers in AKS

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

App Service apps that use PHP should use a specified 'PHP version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

88999f4c-376a-45c8-bcb3-4058f713cf39

App Service apps that use Java should use a specified 'Java version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

[Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

ab965db2-d2bf-4b64-8b39-c38ec8179461

[Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled

Default
Disabled
Allowed
Audit, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app

PHP cannot be used with Function apps.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

Kubernetes service

0f636243-1b1c-4d50-880f-310f6199f2cb

[Deprecated]: Ensure containers listen only on allowed ports in AKS

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

Kubernetes service

a2d3ed81-8d11-4079-80a5-1faadc0024f4

[Deprecated]: Ensure CPU and memory resource limits defined on containers in AKS

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

Kubernetes service

25dee3db-6ce0-4c02-ab5d-245887b24077

[Deprecated]: Ensure services listen only on allowed ports in AKS

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

Kubernetes service

7ce7ac02-a5c6-45d6-8d1b-844feb1c1531

[Deprecated]: Do not allow privileged containers in AKS

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

10c1859c-e1a7-4df3-ab97-a487fa8059f6

[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App

This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

Kubernetes service

2fbff515-eecc-4b7e-9b63-fcc7138b7dc3

[Deprecated]: Enforce HTTPS ingress in AKS

This policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

c2e7ca55-f62c-49b2-89a4-d41eb661d2f0

[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app

This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

aa81768c-cb87-4ce2-bfaa-00baa10d760c

[Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App

This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

6ad61431-88ce-4357-a0e1-6da43f292bd7

[Deprecated]: Ensure WEB app is using the latest version of TLS encryption

Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

Kubernetes service

5f86cb6e-c4da-441b-807c-44bd0cc14e66

[Deprecated]: Ensure only allowed container images in AKS

Default
EnforceRegoPolicy
Allowed
EnforceRegoPolicy, Disabled

change

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

843664e0-7563-41ee-a9cb-7522c382d2c4

[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app

This policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

Function apps should use latest 'HTTP Version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

0c192fe8-9cbb-4516-85b3-0ade8bd03886

[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

[Deprecated]: API apps should have 'Client Certificates (Incoming client certificates)' enabled

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

86d97760-d216-4d81-a3ad-163087b2b6c3

[Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app

This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

f0473e7a-a1ba-4e86-afb2-e829e11b01d8

[Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App

This policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

App Service

App Service apps that use Python should use a specified 'Python version'

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-11-12 19:11:12

BuiltIn

Key Vault

Certificates using elliptic curve cryptography should have allowed curve names

Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy.

Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2019-11-02 10:12:34

BuiltIn

Monitoring

0da106f2-4ca3-48e8-bc85-c638fe6aea8f

Deploy Diagnostic Settings for Service Bus to Log Analytics workspace

Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

App Service

Function apps should use managed identity

Use a managed identity for enhanced authentication security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

SQL

82339799-d096-41ae-8538-b108becf0970

Geo-redundant backup should be enabled for Azure Database for MySQL

Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Kubernetes

[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes cluster

This policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Kubernetes

d38fc420-0735-4ef3-ac11-c806f651a570

[Deprecated]: Kubernetes cluster containers should only listen on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

SQL

Long-term geo-redundant backup should be enabled for Azure SQL Databases

This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

edf3780c-3d70-40fe-b17e-ab72013dafca

Deploy Diagnostic Settings for Stream Analytics to Event Hub

Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Kubernetes

bf045164-79ba-4215-8f95-f8048dc1780b

Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Storage

Geo-redundant storage should be enabled for Storage Accounts

Use geo-redundancy to create highly available applications

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Guest Configuration

c4d441f8-f9d9-4a9e-9cef-e82117cb3eef

[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.

Fixed
deployIfNotExists

add

new Policy

2019-10-29 23:04:36

BuiltIn

App Service

[Deprecated]: Managed identity should be used in your API App

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Kubernetes

2b9ad585-36bc-4615-b300-fd4435808332

Kubernetes clusters should use internal load balancers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

App Service

App Service apps should use managed identity

Use a managed identity for enhanced authentication security

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Kubernetes

ef7b61ef-b8e4-4c91-8e78-6946c6b0023f

Kubernetes clusters should be accessible only over HTTPS

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

Deploy Diagnostic Settings for Event Hub to Event Hub

Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

App Service

48af4db5-9b8b-401c-8e74-076be876a430

Function apps should use the latest TLS version

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

SQL

Geo-redundant backup should be enabled for Azure Database for PostgreSQL

Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Kubernetes

8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e

Kubernetes cluster pods should use specified labels

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

App Service

[Deprecated]: Latest TLS version should be used in your API App

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

6b51af03-9277-49a9-a3f8-1c69c9ff7403

Deploy Diagnostic Settings for Service Bus to Event Hub

Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Kubernetes

9a1b8c48-453a-4044-86c3-d8bfd823e4f5

Kubernetes cluster services should listen only on allowed ports

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

App Service

[Deprecated]: FTPS only should be required in your API App

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

1f6e93e8-6b31-41b1-83f6-36e449a42579

Deploy Diagnostic Settings for Event Hub to Log Analytics workspace

Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

App Service

4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b

App Service apps should require FTPS only

Enable FTPS enforcement for enhanced security.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

e8d096bc-85de-4c5f-8cfb-857bd1b9d62d

Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub

Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Kubernetes

08ba64b8-738f-4918-9686-730d2ed79c7d

Kubernetes cluster containers should only use allowed images

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

Deploy Diagnostic Settings for Search Services to Log Analytics workspace

Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

db51110f-0865-4a6e-b274-e2e07a5b2cd7

Deploy Diagnostic Settings for Batch Account to Event Hub

Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

SQL

0ec47710-77ff-4a3d-9181-6aa50af424d0

Geo-redundant backup should be enabled for Azure Database for MariaDB

Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

c84e5349-db6d-4769-805e-e14037dab9b5

Deploy Diagnostic Settings for Batch Account to Log Analytics workspace

Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

e567365d-4228-430f-ac39-7d5d46e617ac

Fixed

add

new Policy

2019-10-29 23:04:36

BuiltIn

Managed Application

17763ad9-70c0-4794-9397-53d765932634

Deploy associations for a managed application

Deploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types.

Fixed
deployIfNotExists

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

b889a06c-ec72-4b03-910a-cb169ee18721

Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace

Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03

Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace

Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Lighthouse

76bed37b-484f-430f-a009-fd7592dff818

Audit delegation of scopes to a managing tenant

Audit delegation of scopes to a managing tenant via Azure Lighthouse.

Default
Audit
Allowed
Audit, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

4daddf25-4823-43d4-88eb-2419eb6dcc08

Deploy Diagnostic Settings for Data Lake Analytics to Event Hub

Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Custom Provider

c15c281f-ea5c-44cd-90b8-fc3c14d13f0c

Deploy associations for a custom provider

Deploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types.

Fixed
deployIfNotExists

add

new Policy

2019-10-29 23:04:36

BuiltIn

App Service

399b2637-a50f-4f95-96f8-3a145476eb15

Function apps should require FTPS only

Enable FTPS enforcement for enhanced security.

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

a1dae6c7-13f3-48ea-a149-ff8442661f60

Deploy Diagnostic Settings for Logic Apps to Event Hub

Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Kubernetes

bef3f64c-5290-43b7-85b0-9b254eef4c47

Kubernetes cluster should not allow privileged containers

Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

Deploy Diagnostic Settings for Key Vault to Log Analytics workspace

Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Guest Configuration

237e0f7e-b0e8-4ec4-ad46-8c12cb66d673

[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.

Fixed
deployIfNotExists

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace

Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

3d5da587-71bd-41f5-ac95-dd3330c2d58d

Deploy Diagnostic Settings for Search Services to Event Hub

Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

Monitoring

25763a0a-5783-4f14-969e-79d4933eb74b

Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace

Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated.

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

add

new Policy

2019-10-29 23:04:36

BuiltIn

App Service