last sync: 2020-Oct-23 19:29:54 UTC

Changes on Azure Policy definitions

Category Id DisplayName Description Effect Roles used Details (UTC ymd) (i)
Key Vault1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dKey vault should have soft delete enabledDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidently deleted key vault for a configurable retention period. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-23 13:31:09
add: 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d
Key Vault0b60c0b2-2dc2-4e1c-b5c9-abbed971de53Key Vault objects should be recoverableThis policy audits if key vault objects are not recoverable. Soft Delete feature helps to effectively hold the resources for a given retention period (90 days) even after a DELETE operation, while giving the appearance that the object is deleted. When 'Purge protection' is on, a vault or an object in deleted state cannot be purged until the retention period of 90 days has passed. These vaults and objects can still be recovered, assuring customers that the retention policy will be followed. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-23 13:31:09
change: Minor (1.0.0 > 1.1.0)
App Service88999f4c-376a-45c8-bcb3-4058f713cf39Ensure that 'Java version' is the latest, if used as a part of the Api appPeriodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
SQLc9299215-ae47-4f50-9c54-8a392f68a052Public network access should be disabled for MySQL flexible serversDisabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-20 13:29:33
add: c9299215-ae47-4f50-9c54-8a392f68a052
App Service8c122334-9d20-4eb8-89ea-ac9a705b74aeEnsure that 'HTTP Version' is the latest, if used to run the Web appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.1.0 > 2.0.0)
SQL24fba194-95d6-48c0-aea7-f65bf859c598Infrastructure encryption should be enabled for Azure Database for PostgreSQL serversEnable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-20 13:29:33
add: 24fba194-95d6-48c0-aea7-f65bf859c598
Kubernetesa8eff44f-8c92-45c3-a3fb-9880802d67a7Deploy Azure Policy Add-on to Azure Kubernetes Service clustersUse Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Fixed: deployIfNotExistsAzure Kubernetes Service Contributor Role
2020-10-20 13:29:33
add: a8eff44f-8c92-45c3-a3fb-9880802d67a7
App Service991310cd-e9f3-47bc-b7b6-f57b557d07dbEnsure that 'HTTP Version' is the latest, if used to run the Api appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Servicee2c1c086-2d84-4019-bff3-c44ccd95113cEnsure that 'HTTP Version' is the latest, if used to run the Function appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
SQL3a58212a-c829-4f13-9872-6371df2fd0b4Infrastructure encryption should be enabled for Azure Database for MySQL serversEnable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-20 13:29:33
add: 3a58212a-c829-4f13-9872-6371df2fd0b4
App Service496223c3-ad65-4ecd-878a-bae78737e9edEnsure that 'Java version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service74c3584d-afae-46f7-a20a-6f8adba71a16Ensure that 'Python version' is the latest, if used as a part of the Api appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service7238174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service7261b898-8a84-4db8-9e04-18527132abb3Ensure that 'PHP version' is the latest, if used as a part of the WEB appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service7008174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bcEnsure that 'Java version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.0.1 > 2.0.0)
SQL5e1de0e3-42cb-4ebc-a86d-61d0c619ca48Public network access should be disabled for PostgreSQL flexible serversDisabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-20 13:29:33
add: 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48
App Service1bc1795e-d44a-4d48-9b3b-6fff0fd5f9baEnsure that 'PHP version' is the latest, if used as a part of the Api appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
Key Vaultc26e4b24-cf98-4c67-b48b-5a25c4c69eb9[Preview]: Keys should not be active for longer than the specified number of daysSpecify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: c26e4b24-cf98-4c67-b48b-5a25c4c69eb9
Key Vaulte8d99835-8a06-45ae-a8e0-87a91941ccfe[Preview]: Secrets should not be active for longer than the specified number of daysIf your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: e8d99835-8a06-45ae-a8e0-87a91941ccfe
Key Vault75c4f823-d65c-4f29-a733-01d0077fdbcb[Preview]: Keys should be the specified cryptographic type RSA or ECSome applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: 75c4f823-d65c-4f29-a733-01d0077fdbcb
Key Vault5ff38825-c5d8-47c5-b70e-069a21955146[Preview]: Keys should have more than the specified number of days before expirationIf a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: 5ff38825-c5d8-47c5-b70e-069a21955146
Key Vault587c79fe-dd04-4a5e-9d0b-f89598c7261b[Preview]: Keys should be backed by a hardware security module (HSM)An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: 587c79fe-dd04-4a5e-9d0b-f89598c7261b
Key Vault82067dbb-e53b-4e06-b631-546d197452d9[Preview]: Keys using RSA cryptography should have a specified minimum key sizeSet the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: 82067dbb-e53b-4e06-b631-546d197452d9
Key Vault49a22571-d204-4c91-a7b6-09b1a586fbc9[Preview]: Keys should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: 49a22571-d204-4c91-a7b6-09b1a586fbc9
Key Vault98728c90-32c7-4049-8429-847dc0f4fe37[Preview]: Secrets should have expiration dates setIt is a recommended security practice to set expiration dates on secrets. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: 98728c90-32c7-4049-8429-847dc0f4fe37
Key Vaultb0eb591a-5e70-4534-a8bf-04b9c489584a[Preview]: Secrets should have more than the specified number of days before expirationIf a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: b0eb591a-5e70-4534-a8bf-04b9c489584a
Key Vault75262d3e-ba4a-4f43-85f8-9f72c090e5e3[Preview]: Secrets should have content type setA content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: 75262d3e-ba4a-4f43-85f8-9f72c090e5e3
Key Vaultff25f3c8-b739-4538-9d07-3d6d25cfb255[Preview]: Keys using elliptic curve cryptography should have the specified curve namesKeys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: ff25f3c8-b739-4538-9d07-3d6d25cfb255
Key Vault152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0[Preview]: Keys should have expiration dates setCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0
Key Vault342e8053-e12e-4c44-be01-c3c2f318400f[Preview]: Secrets should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-16 12:27:50
add: 342e8053-e12e-4c44-be01-c3c2f318400f
General6fdb9205-3462-4cfc-87d8-16c7860b53f4[Deprecated]: Allow resource creation only in Japan data centersAllows resource creation in the following locations only: Japan East, Japan Westn/an/a
2020-10-15 14:28:11
remove: 6fdb9205-3462-4cfc-87d8-16c7860b53f4 (i)
Generale01598e8-6538-41ed-95e8-8b29746cd697[Deprecated]: Allow resource creation only in Japan data centersAllows resource creation in the following locations only: Japan East, Japan Westn/an/a
2020-10-15 14:28:11
remove: e01598e8-6538-41ed-95e8-8b29746cd697 (i)
Lighthouse7a8a51a3-ad87-4def-96f3-65a1839242b6Allow managing tenant ids to onboard through Azure LighthouseRestricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. Fixed: denynone
2020-10-13 13:23:36
change: Patch (1.0.0 > 1.0.1)
Storage4733ea7b-a883-42fe-8cac-97454c2a9e4aStorage accounts should have infrastructure encryptionEnable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-10-07 16:00:33
add: 4733ea7b-a883-42fe-8cac-97454c2a9e4a
Lighthouse7a8a51a3-ad87-4def-96f3-65a1839242b6Allow managing tenant ids to onboard through Azure LighthouseRestricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. Fixed: denynone
2020-09-30 14:32:32
add: 7a8a51a3-ad87-4def-96f3-65a1839242b6
Guest Configurationcc7cda28-f867-4311-8497-a526129a8d19[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group does not contain only the specified members
Guest Configurationf3b44e5d-1456-475f-9c67-c66c4618e85a[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configurationbde62c94-ccca-4821-a815-92c1d31a76de[Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group contains any of the specified members
Guest Configuration02a84be7-c304-421f-9bb7-5d2c26af54ad[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified oneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration93507a81-10a4-4af0-9ee2-34cf25a96e98[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Audit Linux machines that are not using SSH key for authenticationRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-16 13:09:49
change: Previous DisplayName: Audit Linux virtual machines on which the use of passwords for SSH is allowed
Kubernetes0a15ec92-a229-4763-bb14-0ea34a568f8d[Preview]: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clustersAzure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit,Disabled)
none
2020-09-16 13:09:49
change: Previous DisplayName: [Preview]: Kubernetes Management Policy add-on should be installed and enabled on your clusters
Guest Configurationb821191b-3a12-44bc-9c38-212138a29ff3[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration144f1397-32f9-4598-8c88-118decc3ccba[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members
Guest Configurationbed48b13-6647-468e-aa2f-1af1d3f4dd40Audit Windows machines on which Windows Defender Exploit Guard is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-16 13:09:49
change: Previous DisplayName: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Guest Configuration5bb36dda-8a78-4df9-affd-4f05a8612a8a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified oneThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration94d9aca8-3757-46df-aa51-f218c5f11954Windows machines should meet requirements for 'System Audit Policies - Account Management'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Account Management'
Guest Configuration2a7a701e-dff3-4da9-9ec5-42cb98594c0bWindows machines should meet requirements for 'System Audit Policies - Policy Change'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Policy Change'
Guest Configurationf71be03e-e25b-4d0f-b8bc-9b3e309b66c0Windows machines should meet requirements for 'Security Options - Recovery console'Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Recovery console'
Guest Configuration8316fa92-d69c-4810-8124-62414f560dcfWindows machines should meet requirements for 'System Audit Policies - System'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - System'
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Enforce labels on pods in Kubernetes clusterThis policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce labels on pods in Kubernetes cluster
Guest Configuration67e010c1-640d-438e-a3a5-feaccb533a98Windows machines should meet requirements for 'Administrative Templates - Network'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Network'
Guest Configuration8794ff4f-1a35-4e18-938f-0b22055067cdWindows machines should meet requirements for 'Security Options - Devices'Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Devices'
Guest Configurationd6c69680-54f0-4349-af10-94dd05f4225eWindows machines should meet requirements for 'Security Options - Microsoft Network Client'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Client'
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
Guest Configuration33936777-f2ac-45aa-82ec-07958ec9ade4Windows machines should meet requirements for 'Security Options - Audit'Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Audit'
Guest Configuration12017595-5a75-4bb1-9d97-4c2c939ea3c3Windows machines should meet requirements for 'Security Options - System settings'Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - System settings'
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesThis policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed capabilities
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesThis policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should not use forbidden sysctl interfaces
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
Guest Configurationd472d2c9-d6a3-4500-9f5f-b15f123005aaWindows machines should meet requirements for 'Security Options - Interactive Logon'Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Interactive Logon'
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Do not allow privileged containers in Kubernetes clusterThis policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Do not allow privileged containers in Kubernetes cluster
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dEnforce HTTPS ingress in Kubernetes clusterThis policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce HTTPS ingress in Kubernetes cluster
Guest Configuration3aa2661b-02d7-4ba6-99bc-dc36b10489fdWindows machines should meet requirements for 'Administrative Templates - Control Panel'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Control Panel'
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eEnforce internal load balancers in Kubernetes clusterThis policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce internal load balancers in Kubernetes cluster
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsThis policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pod hostPath volumes should only use allowed host paths
Guest Configuration492a29ed-d143-4f03-b6a4-705ce081b463Windows machines should meet requirements for 'Security Options - User Account Control'Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - User Account Control'
Guest Configurationb4a4d1eb-0263-441b-84cb-a44073d8372dWindows machines should meet requirements for 'Security Options - Shutdown'Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Shutdown'
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
Guest Configurationbed48b13-6647-468e-aa2f-1af1d3f4dd40Audit Windows machines on which Windows Defender Exploit Guard is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Guest Configuratione068b215-0026-4354-b347-8fb2766f73a2Windows machines should meet requirements for 'User Rights Assignment'Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'User Rights Assignment'
Guest Configuration6141c932-9384-44c6-a395-59e4c057d7c9Configure time zone on Windows machines.This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Configure time zone on Windows machines.
Guest Configuration2f262ace-812a-4fd0-b731-b38ba9e9708dWindows machines should meet requirements for 'Security Options - System objects'Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - System objects'
Guest Configurationf2143251-70de-4e81-87a8-36cee5a2f29dWindows machines should meet requirements for 'Security Settings - Account Policies'Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Settings - Account Policies'
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Ensure services listen only on allowed ports in Kubernetes clusterThis policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure services listen only on allowed ports in Kubernetes cluster
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesThis policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed AppArmor profiles
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceThis policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should not share host process ID or host IPC namespace
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeThis policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods should only use approved host network and port range
Guest Configuration19be9779-c776-4dfa-8a15-a2fd5dc843d6Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'
Guest Configuration35781875-8026-4628-b19b-f6efb4d88a1dWindows machines should meet requirements for 'System Audit Policies - Object Access'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Object Access'
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Ensure only allowed container images in Kubernetes clusterThis policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure only allowed container images in Kubernetes cluster
Guest Configuration1221c620-d201-468c-81e7-2817e6107e84Windows machines should meet requirements for 'Security Options - Network Security'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Security'
Automanage270610db-8c04-438a-a739-e8e6745b22d3Enable Automanage - Azure virtual machine best practicesAutomanage enrolls, configures, and monitors virtual machines with Azure VM best practice services. Use this policy to apply Automanage to your selected scope. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
add: 270610db-8c04-438a-a739-e8e6745b22d3
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesThis policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed seccomp profiles
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsThis policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only use allowed SELinux options
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcEnsure containers listen only on allowed ports in Kubernetes clusterThis policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure containers listen only on allowed ports in Kubernetes cluster
Guest Configurationcaf2d518-f029-4f6b-833b-d7081702f253Windows machines should meet requirements for 'Security Options - Microsoft Network Server'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Server'
Guest Configuration35d9882c-993d-44e6-87d2-db66ce21b636Windows machines should meet requirements for 'Windows Firewall Properties'Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Firewall Properties'
Guest Configuration87845465-c458-45f3-af66-dcd62176f397Windows machines should meet requirements for 'System Audit Policies - Privilege Use'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Privilege Use'
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypeThis policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed ProcMountType
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesThis policy ensures pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods should only use allowed volume types
Guest Configuration43bb60fe-1d7e-4b82-9e93-496bfc99e7d5Windows machines should meet requirements for 'System Audit Policies - Account Logon'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Account Logon'
Guest Configuration968410dc-5ca0-4518-8a5b-7b55f0530ea9Windows machines should meet requirements for 'Administrative Templates - System'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - System'
Guest Configuration58383b73-94a9-4414-b382-4146eb02611bWindows machines should meet requirements for 'System Audit Policies - Detailed Tracking'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsThis policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only run with approved user and group IDs
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes clusterThis policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster
Guest Configuration8537fe96-8cbe-43de-b0ef-131bc72bc22aWindows machines should meet requirements for 'Windows Components'Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Components'
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Audit Linux machines that are not using SSH key for authenticationRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Audit Linux virtual machines on which the use of passwords for SSH is allowed
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemThis policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should run with a read only root file system
Guest Configuration3ff60f98-7fa4-410a-9f7f-0b00f5afdbddWindows machines should meet requirements for 'Security Options - Network Access'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Access'
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationThis policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes clusters should not allow container privilege escalation
Guest Configurationee984370-154a-4ee8-9726-19d900e56fc0Windows machines should meet requirements for 'Security Options - Accounts'Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Accounts'
Guest Configuratione0a7e899-2ce2-4253-8a13-d808fdeb75afWindows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversThis policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pod FlexVolume volumes should only use allowed drivers
Guest Configuration6265018c-d7e2-432f-a75d-094d5f6f4465Audit Windows machines on which the Log Analytics agent is not connected as expectedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 6265018c-d7e2-432f-a75d-094d5f6f4465
Key Vault5f0bc445-3935-4915-9981-011aa2b46147[Preview]: Private endpoint should be configured for Key VaultPrivate link provides a way to connect key vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Default: Audit
Allowed: (Audit,Disabled)
none
2020-09-09 11:24:03
add: 5f0bc445-3935-4915-9981-011aa2b46147
Guest Configurationc2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a[Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the specified services are not installed and 'Running'
Guest Configuration106ccbe4-a791-4f33-a44a-06796944b8d5[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted RootThis policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configurationec49586f-4939-402d-a29e-6ff502b20592[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords
Guest Configuration3d2a3320-2a72-4c67-ac5f-caa40fbee2b2Audit Windows machines that have extra accounts in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2
Guest Configuration5aa11bbc-5c76-4302-80e5-aba46a4282e7[Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 dayThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have a minimum password age of 1 day
Guest Configuration30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7Audit Windows machines missing any of specified members in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7
Managed Application9db7917b-1607-4e7d-a689-bca978dd0633Application definition for Managed Application should use customer provided storage accountUse your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-09 11:24:03
add: 9db7917b-1607-4e7d-a689-bca978dd0633
Guest Configurationebb67efd-3c46-49b0-adfe-5599eb944998Audit Windows machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: ebb67efd-3c46-49b0-adfe-5599eb944998
Guest Configurationc40c9087-1981-4e73-9f53-39743eda9d05[Deprecated]: Show audit results from Linux VMs that have accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that have accounts without passwords
Guest Configuration7e84ba44-6d03-46fd-950e-5efa5a1112fa[Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that have not restarted within the specified number of days
Guest Configuration7227ebe5-9ff7-47ab-b823-171cd02fb90f[Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliantThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the DSC configuration is not compliant
Guest Configuration69bf4abd-ca1e-4cf6-8b5a-762d42e61d4fAudit Windows machines that have the specified members in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f
Guest Configurationf48b2913-1dc5-4834-8c72-ccc1dfd819bb[Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have the password complexity setting enabled
Guest Configuration5b054a0d-39e2-4d53-bea3-9734cad2c69bAudit Windows machines that allow re-use of the previous 24 passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: 5b054a0d-39e2-4d53-bea3-9734cad2c69b
Guest Configuration7a031c68-d6ab-406e-a506-697a19c634b0[Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabledThis policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled
Guest Configurationa2d0e922-65d0-40c4-8f87-ea6da2d307a2Audit Windows machines that do not restrict the minimum password length to 14 charactersRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: a2d0e922-65d0-40c4-8f87-ea6da2d307a2
Guest Configuration144f1397-32f9-4598-8c88-118decc3ccba[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members
Guest Configuration23020aa6-1135-4be2-bae2-149982b06eca[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 charactersThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configurationf3b9ad83-000d-4dc1-bff0-6d54533dd03f[Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted RootThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configurationf6ec09a3-78bf-4f8f-99dc-6c77182d0f99Audit Linux machines that have accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: f6ec09a3-78bf-4f8f-99dc-6c77182d0f99
Key Vault55615ac9-af46-4a59-874e-391cc3dfb490[Preview]: Firewall should be enabled on Key VaultThe key vault firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the key vault firewall to make sure that only traffic from allowed networks can access your key vault. Default: Audit
Allowed: (Audit,Disabled)
none
2020-09-09 11:24:03
add: 55615ac9-af46-4a59-874e-391cc3dfb490
Security Centera3a6ea0c-e018-4933-9ef0-5aaa1501449bLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoringSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: a3a6ea0c-e018-4933-9ef0-5aaa1501449b
Guest Configurationcc7cda28-f867-4311-8497-a526129a8d19[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration315c850a-272d-4502-8935-b79010405970[Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domainThis policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain
Guest Configuration9f658460-46b7-43af-8565-94fc0662be38[Deprecated]: Show audit results from Windows VMs that are not set to the specified time zoneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that are not set to the specified time zone
Guest Configuration1417908b-4bff-46ee-a2a6-4acc899320abAudit Windows machines that contain certificates expiring within the specified number of daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 1417908b-4bff-46ee-a2a6-4acc899320ab
Guest Configuration4ceb8dc2-559c-478b-a15b-733fbf1e3738Audit Windows machines that do not have a maximum password age of 70 daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: 4ceb8dc2-559c-478b-a15b-733fbf1e3738
Guest Configuration0447bc18-e2f7-4c0d-aa20-bff034275be1Audit Linux machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 0447bc18-e2f7-4c0d-aa20-bff034275be1
Guest Configurationfee5cb2b-9d9b-410e-afe3-2902d90d0004[Deprecated]: Show audit results from Linux VMs that do not have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that do not have the specified applications installed
Guest Configurationf0633351-c7b2-41ff-9981-508fc08553c2[Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installedThis policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that have the specified applications installed
Guest Configuration8b0de57a-f511-4d45-a277-17cb79cb163b[Deprecated]: Show audit results from Windows VMs with a pending rebootThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs with a pending reboot
Guest Configuration2d67222d-05fd-4526-a171-2ee132ad9e83[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that allow remote connections from accounts without passwords
Guest Configurationa030a57e-4639-4e8f-ade9-a92f33afe7ee[Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expectedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration9328f27e-611e-44a7-a244-39109d7d35ab[Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that contain certificates expiring within the specified number of days
Guest Configurationa29ee95c-0395-4515-9851-cc04ffe82a91[Deprecated]: Show audit results from Windows VMs that are not joined to the specified domainThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that are not joined to the specified domain
Guest Configurationf3b44e5d-1456-475f-9c67-c66c4618e85a[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configuration08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fdAudit Windows machines on which the DSC configuration is not compliantRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd
Guest Configuration68511db2-bd02-41c4-ae6b-1900a012968a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expectedThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configurationb821191b-3a12-44bc-9c38-212138a29ff3[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration630ac30f-a234-4533-ac2d-e0df77acda51Audit Windows machines network connectivityRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 630ac30f-a234-4533-ac2d-e0df77acda51
Guest Configuration884b209a-963b-4520-8006-d20cb3c213e0[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installedThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that have the specified applications installed
Guest Configuration93507a81-10a4-4af0-9ee2-34cf25a96e98[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configuration3470477a-b35a-49db-aca5-1073d04524fe[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that have accounts without passwords
Guest Configurationbde62c94-ccca-4821-a815-92c1d31a76de[Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group contains any of the specified members
Guest Configurationda0f98fe-a24b-4ad5-af69-bd0400233661Audit Windows machines that do not store passwords using reversible encryptionRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: da0f98fe-a24b-4ad5-af69-bd0400233661
Guest Configuration5aebc8d1-020d-4037-89a0-02043a7524ec[Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 charactersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration4d1c04de-2172-403f-901b-90608c35c721[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installedThis policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed
Security Centerd62cfe2b-3ab0-4d41-980d-76803b58ca65Log Analytics agent health issues should be resolved on your machinesSecurity Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: d62cfe2b-3ab0-4d41-980d-76803b58ca65
Guest Configuration2d60d3b7-aa10-454c-88a8-de39d99d17c6[Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryptionThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not store passwords using reversible encryption
Guest Configuration7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabledThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled
Guest Configurationf19aa1c1-6b91-4c27-ae6a-970279f03db9[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644
Guest Configurationc21f7060-c148-41cf-a68b-0ab3e14c764c[Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zoneThis policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone
Guest Configuration237b38db-ca4d-4259-9e47-7882441ca2c0Audit Windows machines that do not have a minimum password age of 1 dayRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: 237b38db-ca4d-4259-9e47-7882441ca2c0
Guest Configurationb2fc8f91-866d-4434-9089-5ebfe38d6fd8[Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocolsThis policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols
Security Center5a913c68-0590-402c-a531-e57e19379da3Operating system version should be the most current version for your cloud service rolesKeeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: 5a913c68-0590-402c-a531-e57e19379da3
Guest Configurationc96f3246-4382-4264-bf6b-af0b35e23c3c[Deprecated]: Deploy prerequisites to audit Windows VMs with a pending rebootThis policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs with a pending reboot
Guest Configurationbeb6ccee-b6b8-4e91-9801-a5fa4260a104Audit Windows machines that have not restarted within the specified number of daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: beb6ccee-b6b8-4e91-9801-a5fa4260a104
Guest Configurationd3b823c9-e0fc-4453-9fb2-8213b7338523Audit Linux machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: d3b823c9-e0fc-4453-9fb2-8213b7338523
Guest Configuration84662df4-0e37-44a6-9ce1-c9d2150db18cAudit Windows machines that are not joined to the specified domainRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 84662df4-0e37-44a6-9ce1-c9d2150db18c
Guest Configuration356a906e-05e5-4625-8729-90771e0ee934[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days
Guest Configuratione6955644-301c-44b5-a4c4-528577de6861Audit Linux machines that do not have the passwd file permissions set to 0644Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: e6955644-301c-44b5-a4c4-528577de6861
Guest Configurationbf16e0bb-31e1-4646-8202-60a235cc7e74Audit Windows machines that do not have the password complexity setting enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: bf16e0bb-31e1-4646-8202-60a235cc7e74
Guest Configuration5752e6d6-1206-46d8-8ab1-ecc2f71a8112Audit Windows web servers that are not using secure communication protocolsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 5752e6d6-1206-46d8-8ab1-ecc2f71a8112
Guest Configuration4221adbc-5c0f-474f-88b7-037a99e6114cAudit Windows VMs with a pending rebootRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 4221adbc-5c0f-474f-88b7-037a99e6114c
Guest Configuration32b1e4d4-6cd5-47b4-a935-169da8a5c262[Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'
Guest Configurationf4b245d4-46c9-42be-9b1a-49e2b5b94194[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days
Guest Configuration726671ac-c4de-4908-8c7d-6043ae62e3b6[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwordsThis policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords
Guest Configuration02a84be7-c304-421f-9bb7-5d2c26af54ad[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified oneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration8ff0b18b-262e-4512-857a-48ad0aeb9a78[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryptionThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption
Guest Configuration5e393799-e3ca-4e43-a9a5-0ec4648a57d9[Deprecated]: Show audit results from Windows VMs that do not have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified applications installed
Guest Configurationd38b4c26-9d2e-47d7-aefe-18d859a8706a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliantThis policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant
SQLb219b9cf-f672-4f96-9ab0-f5a3ac5e1c13SQL Database should avoid using GRS backup redundancyDatabases should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. Default: Deny
Allowed: (Deny,Disabled)
none
2020-09-09 11:24:03
add: b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13
Guest Configuration5b842acb-0fe7-41b0-9f40-880ec4ad84d8[Deprecated]: Show audit results from Linux VMs that have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that have the specified applications installed
Guest Configuration58c460e9-7573-4bb2-9676-339c2f2486bbAudit Windows machines on which Windows Serial Console is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 58c460e9-7573-4bb2-9676-339c2f2486bb
Guest Configuration5bb36dda-8a78-4df9-affd-4f05a8612a8a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified oneThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration934345e1-4dfb-4c70-90d7-41990dc9608bAudit Windows machines that do not contain the specified certificates in Trusted RootRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: 934345e1-4dfb-4c70-90d7-41990dc9608b
Security Centera4fe33eb-e377-4efb-ab31-0784311bc499Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoringThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: a4fe33eb-e377-4efb-ab31-0784311bc499
Guest Configurationd7ccd0ca-8d78-42af-a43d-6b7f928accbc[Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled
SQLa9934fd7-29f2-4e6d-ab3d-607ea38e9079SQL Managed Instances should avoid using GRS backup redundancyManaged Instances should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. Default: Deny
Allowed: (Deny,Disabled)
none
2020-09-09 11:24:03
add: a9934fd7-29f2-4e6d-ab3d-607ea38e9079
Guest Configurationb18175dd-c599-4c64-83ba-bb018a06d35b[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration12f7e5d0-42a7-4630-80d8-54fb7cff9bd6[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installedThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed
Guest Configurationc5fbc59e-fb6f-494f-81e2-d99a671bdaa8[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days
Guest Configuration24dde96d-f0b1-425e-884f-4a1421e2dcdc[Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have a maximum password age of 70 days
Guest Configuration7e56b49b-5990-4159-a734-511ea19b731c[Deprecated]: Show audit results from Windows VMs that have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that have the specified applications installed
Security Center6646a0bd-e110-40ca-bb97-84fcee63c414Service principals should be used to protect your subscriptions instead of management certificatesManagement certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: 6646a0bd-e110-40ca-bb97-84fcee63c414
Guest Configuratione6ebf138-3d71-4935-a13b-9c7fdddd94dfAudit Windows machines on which the specified services are not installed and 'Running'Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: e6ebf138-3d71-4935-a13b-9c7fdddd94df
Guest Configurationc5b85cba-6e6f-4de4-95e1-f0233cd712acAudit Windows machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: c5b85cba-6e6f-4de4-95e1-f0233cd712ac
Guest Configurationc633f6a2-7f8b-4d9e-9456-02f0f04f5505Audit Windows machines that are not set to the specified time zoneRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
add: c633f6a2-7f8b-4d9e-9456-02f0f04f5505
Guest Configurationea53dbee-c6c9-4f0e-9f9e-de0039b78023Audit Linux machines that allow remote connections from accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-09 11:24:03
add: ea53dbee-c6c9-4f0e-9f9e-de0039b78023
Guest Configurationcdbf72d9-ac9c-4026-8a3a-491a5ac59293[Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that allow re-use of the previous 24 passwords
Guest Configuration60ffe3e2-4604-4460-8f22-0f1da058266c[Deprecated]: Show audit results from Windows web servers that are not using secure communication protocolsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows web servers that are not using secure communication protocols
Guest Configuration16390df4-2f73-4b42-af13-c801066763df[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 dayThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day
Security Center501541f7-f7e7-4cd6-868c-4190fdad3ac9A vulnerability assessment solution should be enabled on your virtual machinesAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: Vulnerability assessment should be enabled on virtual machines
Key Vaultcee51871-e572-4576-855c-047c820360f0[Preview]: Certificates using RSA cryptography should have the specified minimum key sizeManage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage minimum key size for RSA certificates
App Service86d97760-d216-4d81-a3ad-163087b2b6c3[Deprecated]: Ensure that Register with Azure Active Directory is enabled on API appThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on API app
App Serviceaa81768c-cb87-4ce2-bfaa-00baa10d760c[Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB AppThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on WEB App
Key Vault1151cede-290b-4ba0-8b38-0ad145ac888f[Preview]: Certificates should use allowed key typesManage your organizational compliance requirements by restricting the key types allowed for certificates. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage allowed certificate key types
App Servicec2e7ca55-f62c-49b2-89a4-d41eb661d2f0[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API appThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the API app
App Serviceab965db2-d2bf-4b64-8b39-c38ec8179461[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function appPHP cannot be used with Function apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that 'PHP version' is the latest, if used as a part of the Function app
Key Vaulta22f4a40-01d3-4c7d-8071-da157eeff341[Preview]: Certificates should be issued by the specified non-integrated certificate authorityManage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates issued by a non-integrated CA
Key Vault12ef42cb-9903-4e39-9c26-422d29570417[Preview]: Certificates should have the specified lifetime action triggersManage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificate lifetime action triggers
App Service10c1859c-e1a7-4df3-ab97-a487fa8059f6[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function AppThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the Function App
Key Vault8e826246-c976-48f6-b03e-619bb92b3d82[Preview]: Certificates should be issued by the specified integrated certificate authorityManage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates issued by an integrated CA
Key Vaultf772fb64-8e40-40ad-87bc-7706e1949427[Preview]: Certificates should not expire within the specified number of daysManage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates that are within a specified number of days of expiration
Key Vault0a075868-4c26-42ef-914c-5bc007359560[Preview]: Certificates should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificate validity period
Cognitive Services67121cc7-ff39-4ab8-b7e3-95b84dab487dCognitive Services accounts should enable data encryption with customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys for data stored in Cognitive Services. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: Cognitive Services accounts should enable data encryption with customer managed key
App Service843664e0-7563-41ee-a9cb-7522c382d2c4[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web appThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the Web app
Key Vaultbd78111f-4953-4367-9fd5-7e08808b54bf[Preview]: Certificates using elliptic curve cryptography should have allowed curve namesManage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: audit
Allowed: (audit,deny,disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage allowed curve names for elliptic curve cryptography certificates
Guest Configurationfc9b3da7-8347-4380-8e70-0a0361d8dedd[Preview]: Linux machines should meet requirements for the Azure security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines should meet the requirements for the Azure security baseline Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
add: fc9b3da7-8347-4380-8e70-0a0361d8dedd
App Servicef0473e7a-a1ba-4e86-afb2-e829e11b01d8[Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function AppThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on Function App
Synapse84ce0900-69cd-4b5e-b676-0b5a66d027c9[Preview]: Resource type for Azure Synapse linked service should be in allowed listYou can define an allowed list of resource types for Azure Synapse linked service to restrict creation or update on a scope. With this policy in place you can have a better control over the boundary of data movement.n/an/a
2020-08-31 13:45:20
remove: 84ce0900-69cd-4b5e-b676-0b5a66d027c9 (i)
Guest Configuratione0efc13a-122a-47c5-b817-2ccfe5d12615[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policyThis policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-27 15:39:26
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy
Storage4fa4b6c0-31ca-4c0d-b10d-24b96f62a751[Preview]: Storage account public access should be disallowedAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default: audit
Allowed: (audit,deny,disabled)
none
2020-08-27 15:39:26
add: 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751
Machine Learning40cec1dd-a100-4920-b15b-3024fe8901abAzure Machine Learning workspaces should use private linkEvaluate Azure Machine Learning workspaces that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/azureml-workspaces-privatelink. Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-27 15:39:26
add: 40cec1dd-a100-4920-b15b-3024fe8901ab
Guest Configuration3e4e2bd5-15a2-4628-b3e1-58977e9793f3Audit Windows machines that do not have the specified Windows PowerShell modules installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-27 15:39:26
add: 3e4e2bd5-15a2-4628-b3e1-58977e9793f3
Guest Configuration16f9b37c-4408-4c30-bc17-254958f2e2d6[Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-27 15:39:26
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed
Guest Configurationc648fbbb-591c-4acd-b465-ce9b176ca173Audit Windows machines that do not have the specified Windows PowerShell execution policyRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-27 15:39:26
add: c648fbbb-591c-4acd-b465-ce9b176ca173
Guest Configurationf8036bd0-c10b-4931-86bb-94a878add855[Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policyThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-27 15:39:26
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy
Machine Learningba769a63-b8cc-4b2d-abf6-ac33c7204be8Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)Evaluate Azure Machine Learning workspaces that do not have encryption enabled with customer-managed keys (CMK). Customer-managed keys add an aditional layer of security for workspaces. For more information, visit https://aka.ms/azureml-workspaces-cmk. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-08-27 15:39:26
add: ba769a63-b8cc-4b2d-abf6-ac33c7204be8
84ce0900-69cd-4b5e-b676-0b5a66d027c9 Fixed: none
2020-08-27 15:39:26
add: 84ce0900-69cd-4b5e-b676-0b5a66d027c9
Networkc251913d-7d24-4958-af87-478ed3b9ba41Flow log should be configured for every network security groupAudit for network security groups to verify if flow log resource is configured. Flow log allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Fixed: auditnone
2020-08-27 15:39:26
add: c251913d-7d24-4958-af87-478ed3b9ba41
Guest Configuration90ba2ee7-4ca8-4673-84d1-c851c50d3baf[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installedThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-27 15:39:26
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed
Network0db34a60-64f4-4bf6-bd44-f95c16cf34b9Deploy a flow log resource with target network security groupConfigures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Fixed: deployIfNotExistsContributor
2020-08-27 15:39:26
add: 0db34a60-64f4-4bf6-bd44-f95c16cf34b9
Guest Configuratione068b215-0026-4354-b347-8fb2766f73a2Windows machines should meet requirements for 'User Rights Assignment'Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: e068b215-0026-4354-b347-8fb2766f73a2
Guest Configuration1f8c20ce-3414-4496-8b26-0e902a1541da[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configurationf8b0158d-4766-490f-bea0-259e52dba473[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration620e58b5-ac75-49b4-993f-a9d4f0459636[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - System objects'
Guest Configuration1221c620-d201-468c-81e7-2817e6107e84Windows machines should meet requirements for 'Security Options - Network Security'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 1221c620-d201-468c-81e7-2817e6107e84
Guest Configuration909c958d-1b99-4c74-b88f-46a5c5bc34f9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configurationa9a33475-481d-4b81-9116-0bf02ffe67e8[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configurationc961dac9-5916-42e8-8fb1-703148323994[Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'User Rights Assignment'
Guest Configuration2f262ace-812a-4fd0-b731-b38ba9e9708dWindows machines should meet requirements for 'Security Options - System objects'Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 2f262ace-812a-4fd0-b731-b38ba9e9708d
Guest Configuration8794ff4f-1a35-4e18-938f-0b22055067cdWindows machines should meet requirements for 'Security Options - Devices'Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 8794ff4f-1a35-4e18-938f-0b22055067cd
Guest Configurationc8abcef9-fc26-482f-b8db-5fa60ee4586d[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration7066131b-61a6-4917-a7e4-72e8983f0aa6[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration6481cc21-ed6e-4480-99dd-ea7c5222e897[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configuration6fe4ef56-7576-4dc4-8e9c-26bad4b087ce[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration8537fe96-8cbe-43de-b0ef-131bc72bc22aWindows machines should meet requirements for 'Windows Components'Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 8537fe96-8cbe-43de-b0ef-131bc72bc22a
Guest Configuration36e17963-7202-494a-80c3-f508211c826b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration8e170edb-e0f5-497a-bb36-48b3280cec6a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration3750712b-43d0-478e-9966-d2c26f6141b9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuratione5b81f87-9185-4224-bf00-9f505e9f89f3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration43bb60fe-1d7e-4b82-9e93-496bfc99e7d5Windows machines should meet requirements for 'System Audit Policies - Account Logon'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5
Guest Configurationcaf2d518-f029-4f6b-833b-d7081702f253Windows machines should meet requirements for 'Security Options - Microsoft Network Server'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: caf2d518-f029-4f6b-833b-d7081702f253
Guest Configuration87845465-c458-45f3-af66-dcd62176f397Windows machines should meet requirements for 'System Audit Policies - Privilege Use'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 87845465-c458-45f3-af66-dcd62176f397
Guest Configurationce2370f6-0ac5-4d85-8ab4-10721cc640b0[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration437a1f8f-8552-47a8-8b12-a2fee3269dd5[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'
Guest Configuration42a07bbf-ffcf-459a-b4b1-30ecd118a505[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration30040dab-4e75-4456-8273-14b8f75d91d9[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration7040a231-fb65-4412-8c0a-b365f4866c24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'
Guest Configuratione425e402-a050-45e5-b010-bd3f934589fc[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration8316fa92-d69c-4810-8124-62414f560dcfWindows machines should meet requirements for 'System Audit Policies - System'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 8316fa92-d69c-4810-8124-62414f560dcf
Guest Configurationfcbc55c9-f25a-4e55-a6cb-33acb3be778b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuratione0a7e899-2ce2-4253-8a13-d808fdeb75afWindows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: e0a7e899-2ce2-4253-8a13-d808fdeb75af
Guest Configuration29829ec2-489d-4925-81b7-bda06b1718e0[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration3aa2661b-02d7-4ba6-99bc-dc36b10489fdWindows machines should meet requirements for 'Administrative Templates - Control Panel'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 3aa2661b-02d7-4ba6-99bc-dc36b10489fd
Guest Configuration3ff60f98-7fa4-410a-9f7f-0b00f5afdbddWindows machines should meet requirements for 'Security Options - Network Access'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd
Guest Configuratione3a77a94-cf41-4ee8-b45c-98be28841c03[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration12017595-5a75-4bb1-9d97-4c2c939ea3c3Windows machines should meet requirements for 'Security Options - System settings'Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 12017595-5a75-4bb1-9d97-4c2c939ea3c3
Guest Configurationddb53c61-9db4-41d4-a953-2abff5b66c12[Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration97b595c8-fd10-400e-8543-28e2b9138b13[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configurationc1e289c0-ffad-475d-a924-adc058765d65[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration67e010c1-640d-438e-a3a5-feaccb533a98Windows machines should meet requirements for 'Administrative Templates - Network'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 67e010c1-640d-438e-a3a5-feaccb533a98
Guest Configuration7229bd6a-693d-478a-87f0-1dc1af06f3b8[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration19be9779-c776-4dfa-8a15-a2fd5dc843d6Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 19be9779-c776-4dfa-8a15-a2fd5dc843d6
Guest Configurationee984370-154a-4ee8-9726-19d900e56fc0Windows machines should meet requirements for 'Security Options - Accounts'Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: ee984370-154a-4ee8-9726-19d900e56fc0
Guest Configurationd6c69680-54f0-4349-af10-94dd05f4225eWindows machines should meet requirements for 'Security Options - Microsoft Network Client'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: d6c69680-54f0-4349-af10-94dd05f4225e
Guest Configurationf1f4825d-58fb-4257-8016-8c00e3c9ed9d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configurationdd4680ed-0559-4a6a-ad10-081d14cbb484[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration492a29ed-d143-4f03-b6a4-705ce081b463Windows machines should meet requirements for 'Security Options - User Account Control'Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 492a29ed-d143-4f03-b6a4-705ce081b463
Guest Configuration40917425-69db-4018-8dae-2a0556cef899[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration5c028d2a-1889-45f6-b821-31f42711ced8[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Network Security'
Guest Configurationbc87d811-4a9b-47cc-ae54-0a41abda7768[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration12ae2d24-3805-4b37-9fa9-465968bfbcfa[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'
Guest Configurationb4a4d1eb-0263-441b-84cb-a44073d8372dWindows machines should meet requirements for 'Security Options - Shutdown'Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: b4a4d1eb-0263-441b-84cb-a44073d8372d
Guest Configuration21e2995e-683e-497a-9e81-2f42ad07050a[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Audit'
Guest Configurationc04255ee-1b9f-42c1-abaa-bf1553f79930[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configurationbbcdd8fa-b600-4ee3-85b8-d184e3339652[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration94d9aca8-3757-46df-aa51-f218c5f11954Windows machines should meet requirements for 'System Audit Policies - Account Management'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 94d9aca8-3757-46df-aa51-f218c5f11954
Guest Configurationa1e8dda3-9fd2-4835-aec3-0e55531fde33[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration33936777-f2ac-45aa-82ec-07958ec9ade4Windows machines should meet requirements for 'Security Options - Audit'Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 33936777-f2ac-45aa-82ec-07958ec9ade4
Guest Configuration815dcc9f-6662-43f2-9a03-1b83e9876f24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'
Guest Configuration0a9991e6-21be-49f9-8916-a06d934bcf29[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configurationb872a447-cc6f-43b9-bccf-45703cd81607[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration86880e5c-df35-43c5-95ad-7e120635775e[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configurationec7ac234-2af5-4729-94d2-c557c071799d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration87b590fe-4a1d-4697-ae74-d4fe72ab786c[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration498b810c-59cd-4222-9338-352ba146ccf3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'
Guest Configuration8bbd627e-4d25-4906-9a6e-3789780af3ec[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'
Guest Configurationb3802d79-dd88-4bce-b81d-780218e48280[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configuration58383b73-94a9-4414-b382-4146eb02611bWindows machines should meet requirements for 'System Audit Policies - Detailed Tracking'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 58383b73-94a9-4414-b382-4146eb02611b
Guest Configurationf71be03e-e25b-4d0f-b8bc-9b3e309b66c0Windows machines should meet requirements for 'Security Options - Recovery console'Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: f71be03e-e25b-4d0f-b8bc-9b3e309b66c0
Guest Configuration985285b7-b97a-419c-8d48-c88cc934c8d8[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration9178b430-2295-406e-bb28-f6a7a2a2f897[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Windows Components'
Guest Configuration60aeaf73-a074-417a-905f-7ce9df0ff77b[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configurationd472d2c9-d6a3-4500-9f5f-b15f123005aaWindows machines should meet requirements for 'Security Options - Interactive Logon'Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: d472d2c9-d6a3-4500-9f5f-b15f123005aa
Guest Configuration97646672-5efa-4622-9b54-740270ad60bf[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configurationddc0a4d5-5e08-43d5-9fd9-b586d8d7116b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration35781875-8026-4628-b19b-f6efb4d88a1dWindows machines should meet requirements for 'System Audit Policies - Object Access'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 35781875-8026-4628-b19b-f6efb4d88a1d
Guest Configuration8a39d1f1-5513-4628-b261-f469a5a3341b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - System settings'
Guest Configurationf56a3ab2-89d1-44de-ac0d-2ada5962e22a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configurationf2143251-70de-4e81-87a8-36cee5a2f29dWindows machines should meet requirements for 'Security Settings - Account Policies'Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: f2143251-70de-4e81-87a8-36cee5a2f29d
Guest Configurationba12366f-f9a6-42b8-9d98-157d0b1a837b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration968410dc-5ca0-4518-8a5b-7b55f0530ea9Windows machines should meet requirements for 'Administrative Templates - System'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 968410dc-5ca0-4518-8a5b-7b55f0530ea9
Guest Configuration35d9882c-993d-44e6-87d2-db66ce21b636Windows machines should meet requirements for 'Windows Firewall Properties'Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 35d9882c-993d-44e6-87d2-db66ce21b636
Guest Configuration2a7a701e-dff3-4da9-9ec5-42cb98594c0bWindows machines should meet requirements for 'System Audit Policies - Policy Change'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-20 14:05:01
add: 2a7a701e-dff3-4da9-9ec5-42cb98594c0b
Guest Configuratione3d95ab7-f47a-49d8-a347-784177b6c94c[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration225e937e-d32e-4713-ab74-13ce95b3519a[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration3d7b154e-2700-4c8c-9e46-cb65ac1578c2[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Devices'
Security Centerac4a19c2-fa67-49b4-8ae5-0b2e78c49457Role-Based Access Control (RBAC) should be used on Kubernetes ServicesTo provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services
App Platformaf35e2a4-ef96-44e7-a9ae-853dd97032c4Azure Spring Cloud should use network injectionAzure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default: Audit
Allowed: (Audit,Disabled,Deny)
none
2020-08-19 13:49:29
add: af35e2a4-ef96-44e7-a9ae-853dd97032c4
Security Centerfb893a29-21bb-418c-a157-e99480ec364cKubernetes Services should be upgraded to a non-vulnerable Kubernetes versionUpgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
Security Center5f0f936f-2f01-4bf5-b6be-d423792fa562Vulnerabilities in Azure Container Registry images should be remediatedContainer image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-19 13:49:29
add: 5f0f936f-2f01-4bf5-b6be-d423792fa562
Security Center0e246bcf-5f6f-4f87-bc6f-775d4712c7eaAuthorized IP ranges should be defined on Kubernetes ServicesRestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Authorized IP ranges should be defined on Kubernetes Services
Storage6fac406b-40ca-413b-bf8e-0bf964659c25Storage account should use customer-managed key for encryptionSecure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-18 14:06:57
add: 6fac406b-40ca-413b-bf8e-0bf964659c25
Storage6edd7eda-6dd8-40f7-810d-67160c639cd9Storage account should use a private link connectionPrivate links enforce secure communication, by providing private connectivity to the storage account Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-18 14:06:57
add: 6edd7eda-6dd8-40f7-810d-67160c639cd9
Storage2a1a9cdf-e04d-429a-8416-3bfb72a1b26fStorage accounts should restrict network access using virtual network rulesProtect your storage accounts from potential threats using virtual network rules as a preferred method to IP-based filtering. Disallowing IP-based filtering prevents public IPs from accessing your storage accounts. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-08-18 14:06:57
add: 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux virtual machines
SQL3965c43d-b5f4-482e-b74a-d89ee0e0b3a8[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alertsEnsure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts
App Configuration967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1App Configuration should use a customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit,Disabled)
none
2020-08-05 13:05:29
change: Previous DisplayName: App Configuration should use a customer managed key
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity
SQLaeb23562-188d-47cb-80b8-551f16ef9fff[Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings
SQLc8343d2f-fdc9-4a97-b76f-fc71d1163bfc[Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows virtual machines
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-07-17 15:57:10
add: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-07-17 15:57:10
add: 497dff13-db2a-4c0f-8603-28fa3b331ab6
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-07-17 15:57:10
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-07-17 15:57:10
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Security Center308fbb08-4ab8-4e67-9b29-592e93fb94faAzure Defender for Storage should be enabledAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Storage accounts
Security Center523b5cd1-3e23-492f-a539-13118b6d1e3aAzure Defender for Kubernetes should be enabledAzure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Azure Kubernetes Service
Security Center0e6763cc-5078-4e64-889d-ff4d9a839047Azure Defender for Key Vault should be enabledAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Key Vault
Security Center6581d072-105e-4418-827f-bd446d56421bAzure Defender for SQL servers on machines should be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: Previous DisplayName: Advanced data security should be enabled on SQL Server on Virtual Machines
Security Center2913021d-f2fd-4f3d-b958-22354e2bdbcbAzure Defender for App Service should be enabledAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on App Service
Security Center47a6b606-51aa-4496-8bb7-64b11cf66adcAdaptive application controls for defining safe applications should be enabled on your machinesEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: Previous DisplayName: Adaptive application controls for whitelisting safe applications should be enabled on your machines
Security Center501541f7-f7e7-4cd6-868c-4190fdad3ac9A vulnerability assessment solution should be enabled on your virtual machinesAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: Previous DisplayName: [Preview] Vulnerability Assessment should be enabled on Virtual Machines
SQL32e6bbec-16b6-44c2-be37-c5b672d103cfAzure SQL Database should have the minimal TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. Default: Audit
Allowed: (Audit,Disabled)
none
2020-07-14 15:28:17
add: 32e6bbec-16b6-44c2-be37-c5b672d103cf
Security Center123a3936-f020-408a-ba0c-47873faf1534Allowlist rules in your adaptive application control policy should be updatedMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: Previous DisplayName: Whitelisting rules in your adaptive application control policy should be updated
Security Centerc25d9a16-bc35-4e15-a7e5-9db606bf9ed4Azure Defender for container registries should be enabledAzure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Azure Container Registry
SQLa8793640-60f7-487c-b5c3-1d37215905c4SQL Managed Instance should have the minimal TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. Default: Audit
Allowed: (Audit,Disabled)
none
2020-07-14 15:28:17
add: a8793640-60f7-487c-b5c3-1d37215905c4
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemThis policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: df49d893-a74c-421d-bc95-c663042e5b80
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypeThis policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: f85eb0dd-92ee-40e9-8a76-db25a507d6d3
Networkbe7ed5c8-2660-4136-8216-e6f3412ba909[Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application GatewayRequires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Deny
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
change: Previous DisplayName: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversThis policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: f4a8fce0-2dd5-4c21-9a36-8f0ec809d663
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsThis policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: f06ddb64-5fa3-4b77-b166-acb36f7f6042
SQL77e8b146-0078-4fb2-b002-e112381199f0Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnetVirtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. Fixed: AuditIfNotExistsnone
2020-07-08 14:28:08
add: 77e8b146-0078-4fb2-b002-e112381199f0
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceThis policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationThis policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsThis policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: 098fc59e-46c7-4d99-9b16-64990e543d75
Network055aa869-bc98-4af8-bafc-23f1ab6ffe2cWeb Application Firewall (WAF) should be enabled for Azure Front Door ServiceRequires Web Application Firewall (WAF) on any Azure Front Door Service. A Web Application Firewall provides greater security for your other Azure resources. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
add: 055aa869-bc98-4af8-bafc-23f1ab6ffe2c
Network12430be1-6cc8-4527-a9a8-e3d38f250096Web Application Firewall (WAF) should use the specified mode for Application GatewayMandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
add: 12430be1-6cc8-4527-a9a8-e3d38f250096
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsThis policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: e1e6c427-07d9-46ab-9689-bfa85431e636
Networkf6b68e5a-7207-4638-a1fb-47d90404209e[Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door ServiceMandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. Default: Deny
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
change: Previous DisplayName: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesThis policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: 56d0a13f-712f-466b-8416-56fb354fb823
Network425bea59-a659-4cbb-8d31-34499bd030b8Web Application Firewall (WAF) should use the specified mode for Azure Front Door ServiceMandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
add: 425bea59-a659-4cbb-8d31-34499bd030b8
SQL1b8ca024-1d5c-4dec-8995-b1a932b41780Public network access on Azure SQL Database should be disabledDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Fixed: auditnone
2020-07-08 14:28:08
change: Previous DisplayName: Audit public network access setting for Azure SQL Database
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesThis policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: 511f5417-5d12-434d-ab2e-816901e72a5e
Network564feb30-bf6a-4854-b4bb-0d2d2d1e6c66Web Application Firewall (WAF) should be enabled for Application GatewayRequires Web Application Firewall (WAF) on any Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-07-08 14:28:08
add: 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesThis policy ensures pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: 16697877-1118-4fb1-9b65-9898ec2509ec
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeThis policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: 82985f06-dc18-4a48-bc1c-b9f4f0098cfe
SQL7698e800-9299-47a6-b3b6-5a0fee576eedPrivate endpoint connections on Azure SQL Database should be enabledPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Fixed: auditnone
2020-07-08 14:28:08
change: Previous DisplayName: Azure SQL Databases should have private endpoint connections
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesThis policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: 975ce327-682c-4f2e-aa46-b9598289b86c
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesThis policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit,deny,disabled)
none
2020-07-08 14:28:08
add: c26596ff-4d70-4e6a-9a30-c2506bd2f80c
SQLc8343d2f-fdc9-4a97-b76f-fc71d1163bfc[Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: Previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings
SQL3965c43d-b5f4-482e-b74a-d89ee0e0b3a8[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alertsEnsure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: Previous DisplayName: Advanced data security settings for SQL managed instance should contain an email address to receive security alerts
SQL7698e800-9299-47a6-b3b6-5a0fee576eedPrivate endpoint connections on Azure SQL Database should be enabledPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Fixed: auditnone
2020-07-01 14:50:07
add: 7698e800-9299-47a6-b3b6-5a0fee576eed
SQLe756b945-1b1b-480b-8de8-9a0859d5f7ad[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settingsIt is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: Previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings
SQLbda18df3-5e41-4709-add9-2554ce68c966[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settingsIt's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: Previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL managed instance Advanced Data Security settings
SQLaeb23562-188d-47cb-80b8-551f16ef9fff[Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: Previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings
VM Image Builder2154edb9-244f-4741-9970-660785bccdaaVM Image Builder templates should use private linkAudit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may expose resources directly to the internet and increase the potential attack surface. Default: Audit
Allowed: (Audit,Disabled)
none
2020-07-01 14:50:07
add: 2154edb9-244f-4741-9970-660785bccdaa
SQL9677b740-f641-4f3c-b9c5-466005c85278[Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alertsEnsure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers. Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-07-01 14:50:07
change: Previous DisplayName: Advanced data security settings for SQL server should contain an email address to receive security alerts
SQL1b8ca024-1d5c-4dec-8995-b1a932b41780Public network access on Azure SQL Database should be disabledDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Fixed: auditnone
2020-07-01 14:50:07
add: 1b8ca024-1d5c-4dec-8995-b1a932b41780
SignalR53503636-bcc9-4748-9663-5348217f160fAzure SignalR Service should use private linksAudit Azure SignalR Service resources that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit,Disabled)
none
2020-07-01 14:50:07
change: Previous DisplayName: [Preview]: Azure SignalR Service should use private links
Guest Configuration5fc23db3-dd4d-4c56-bcc7-43626243e601Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabledThis policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-30 14:58:19
change: Previous DisplayName: Audit prerequisites to enable Guest Configuration policies on Windows VMs.
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-29 05:46:45
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6[Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.n/an/a
2020-06-29 05:46:45
remove: 497dff13-db2a-4c0f-8603-28fa3b331ab6 (i)
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-29 05:46:45
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7e[Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.n/an/a
2020-06-29 05:46:45
remove: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e (i)
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
add: 331e8ea8-378a-410f-a2e5-ae22f38bb0da
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-06-23 16:03:25
add: 497dff13-db2a-4c0f-8603-28fa3b331ab6
Kubernetes0a15ec92-a229-4763-bb14-0ea34a568f8d[Preview]: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clustersAzure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit,Disabled)
none
2020-06-23 16:03:25
add: 0a15ec92-a229-4763-bb14-0ea34a568f8d
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
add: 385f5831-96d4-41db-9a3c-cd3af78aaae6
Machine Learning6a6f7384-63de-11ea-bc55-0242ac130003[Preview]: Configure code signing for training code for specified Azure Machine Learning computesThis policy helps provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-06-23 16:03:25
add: 6a6f7384-63de-11ea-bc55-0242ac130003
Security Centerc25d9a16-bc35-4e15-a7e5-9db606bf9ed4Azure Defender for container registries should be enabledAzure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: c25d9a16-bc35-4e15-a7e5-9db606bf9ed4
Security Center4da35fc9-c9e7-4960-aec9-797fe7d9051dAzure Defender for servers should be enabledAzure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: 4da35fc9-c9e7-4960-aec9-797fe7d9051d
Security Center6581d072-105e-4418-827f-bd446d56421bAzure Defender for SQL servers on machines should be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: 6581d072-105e-4418-827f-bd446d56421b
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Guest Configurationfaf25c8c-9598-4305-b4de-0aee1317fb31Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabledThis policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: faf25c8c-9598-4305-b4de-0aee1317fb31
Cosmos DB1f905d99-2ab7-462c-a6b0-f709acca6c8fAzure Cosmos DB account should use customer-managed keys to encrypt data at restUse customer-managed keys to control the encryption at rest of the data stored in Azure Cosmos DB when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. See https://aka.ms/cosmosdb-cmk Default: audit
Allowed: (audit,deny,disabled)
none
2020-06-23 16:03:25
add: 1f905d99-2ab7-462c-a6b0-f709acca6c8f
Security Center2913021d-f2fd-4f3d-b958-22354e2bdbcbAzure Defender for App Service should be enabledAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: 2913021d-f2fd-4f3d-b958-22354e2bdbcb
Security Center0e6763cc-5078-4e64-889d-ff4d9a839047Azure Defender for Key Vault should be enabledAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: 0e6763cc-5078-4e64-889d-ff4d9a839047
Cosmos DB862e97cf-49fc-4a5c-9de4-40d4e2e7c8ebAzure Cosmos DB accounts should have firewall rulesAudit or deny resources that do not have any IP rules configured and allow all networks by default. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default: Deny
Allowed: (Audit,Deny,Disabled)
none
2020-06-23 16:03:25
add: 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb
API for FHIR0fea8f8a-4169-495d-8307-30ec335f387dCORS should not allow every domain to access your API for FHIRCross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. Default: audit
Allowed: (audit,disabled)
none
2020-06-23 16:03:25
add: 0fea8f8a-4169-495d-8307-30ec335f387d
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Security Center308fbb08-4ab8-4e67-9b29-592e93fb94faAzure Defender for Storage should be enabledAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: 308fbb08-4ab8-4e67-9b29-592e93fb94fa
Security Center523b5cd1-3e23-492f-a539-13118b6d1e3aAzure Defender for Kubernetes should be enabledAzure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: 523b5cd1-3e23-492f-a539-13118b6d1e3a
Security Center7fe3b40f-802b-4cdd-8bd4-fd799c948cc2Azure Defender for Azure SQL Database servers should be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-23 16:03:25
add: 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-06-23 16:03:25
add: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e
Monitoring4da21710-ce6f-4e06-8cdb-5cc4c93ffbeeDeploy Dependency agent for Linux virtual machinesDeploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-06-22 16:06:25
change: Previous DisplayName: Deploy Dependency agent for Linux VMs
Monitoring1c210e94-a481-4beb-95fa-1571b434fb04Deploy Dependency agent for Windows virtual machinesDeploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExistsLog Analytics Contributor
2020-06-22 16:06:25
change: Previous DisplayName: Deploy Dependency agent for Windows VMs
Networkbe7ed5c8-2660-4136-8216-e6f3412ba909[Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application GatewayRequires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Deny
Allowed: (Audit,Deny,Disabled)
none
2020-06-11 19:46:04
add: be7ed5c8-2660-4136-8216-e6f3412ba909
Networkf6b68e5a-7207-4638-a1fb-47d90404209e[Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door ServiceMandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. Default: Deny
Allowed: (Audit,Deny,Disabled)
none
2020-06-11 19:46:04
add: f6b68e5a-7207-4638-a1fb-47d90404209e
Guest Configurationbc87d811-4a9b-47cc-ae54-0a41abda7768[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'
Kubernetes1d61c4d2-aef2-432b-87fc-7f96b019b7e1[Preview]: Deploy GitOps to Kubernetes clusterThis policy deploys a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth from the defined git repo. For instructions on using this policy, visit https://aka.ms/K8sGitOpsPolicy. Fixed: DeployIfNotExistsContributor
2020-06-09 16:25:53
add: 1d61c4d2-aef2-432b-87fc-7f96b019b7e1
Guest Configuration42a07bbf-ffcf-459a-b4b1-30ecd118a505[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'
Cognitive Services11566b39-f7f7-4b82-ab06-68d8700eb0a4Cognitive Services accounts should use customer owned storage or enable data encryption.This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-09 16:25:53
add: 11566b39-f7f7-4b82-ab06-68d8700eb0a4
Guest Configuratione425e402-a050-45e5-b010-bd3f934589fc[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configurationc8abcef9-fc26-482f-b8db-5fa60ee4586d[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration36e17963-7202-494a-80c3-f508211c826b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configurationddb53c61-9db4-41d4-a953-2abff5b66c12[Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration498b810c-59cd-4222-9338-352ba146ccf3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'
Guest Configuration6fe4ef56-7576-4dc4-8e9c-26bad4b087ce[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabledThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled
Guest Configuration5aebc8d1-020d-4037-89a0-02043a7524ec[Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 charactersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration8bbd627e-4d25-4906-9a6e-3789780af3ec[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuration909c958d-1b99-4c74-b88f-46a5c5bc34f9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configurationce2370f6-0ac5-4d85-8ab4-10721cc640b0[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuratione3a77a94-cf41-4ee8-b45c-98be28841c03[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration620e58b5-ac75-49b4-993f-a9d4f0459636[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System objects'
Guest Configurationd38b4c26-9d2e-47d7-aefe-18d859a8706a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliantThis policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant
Guest Configuration97b595c8-fd10-400e-8543-28e2b9138b13[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configurationb3802d79-dd88-4bce-b81d-780218e48280[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configurationc04255ee-1b9f-42c1-abaa-bf1553f79930[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configuration5c028d2a-1889-45f6-b821-31f42711ced8[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration106ccbe4-a791-4f33-a44a-06796944b8d5[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted RootThis policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configurationfcbc55c9-f25a-4e55-a6cb-33acb3be778b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'
Cognitive Services67121cc7-ff39-4ab8-b7e3-95b84dab487dCognitive Services accounts should enable data encryption with customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys for data stored in Cognitive Services. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-09 16:25:53
add: 67121cc7-ff39-4ab8-b7e3-95b84dab487d
Guest Configurationa1e8dda3-9fd2-4835-aec3-0e55531fde33[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration30040dab-4e75-4456-8273-14b8f75d91d9[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration6481cc21-ed6e-4480-99dd-ea7c5222e897[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configuratione5b81f87-9185-4224-bf00-9f505e9f89f3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration97646672-5efa-4622-9b54-740270ad60bf[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configurationb872a447-cc6f-43b9-bccf-45703cd81607[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration12ae2d24-3805-4b37-9fa9-465968bfbcfa[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'
Guest Configuration0a9991e6-21be-49f9-8916-a06d934bcf29[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration21e2995e-683e-497a-9e81-2f42ad07050a[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Audit'
Security Centerbb91dfba-c30d-4263-9add-9c2384e659a6Non-internet-facing virtual machines should be protected with network security groupsProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-09 16:25:53
add: bb91dfba-c30d-4263-9add-9c2384e659a6
Guest Configuration225e937e-d32e-4713-ab74-13ce95b3519a[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration24dde96d-f0b1-425e-884f-4a1421e2dcdc[Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days
Cognitive Services46aa9b05-0e60-4eae-a88b-1e9d374fa515Cognitive Services accounts should use customer owned storageThis policy audits any Cognitive Services account not using customer owned storage. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-09 16:25:53
add: 46aa9b05-0e60-4eae-a88b-1e9d374fa515
Guest Configuration9178b430-2295-406e-bb28-f6a7a2a2f897[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Components'
Guest Configuration3750712b-43d0-478e-9966-d2c26f6141b9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration60aeaf73-a074-417a-905f-7ce9df0ff77b[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configurationc40c9087-1981-4e73-9f53-39743eda9d05[Deprecated]: Show audit results from Linux VMs that have accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that have accounts without passwords
Guest Configurationc5fbc59e-fb6f-494f-81e2-d99a671bdaa8[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days
Guest Configurationddc0a4d5-5e08-43d5-9fd9-b586d8d7116b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration2d60d3b7-aa10-454c-88a8-de39d99d17c6[Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryptionThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption
Guest Configurationec49586f-4939-402d-a29e-6ff502b20592[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords
SignalR53503636-bcc9-4748-9663-5348217f160fAzure SignalR Service should use private linksAudit Azure SignalR Service resources that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit,Disabled)
none
2020-06-09 16:25:53
add: 53503636-bcc9-4748-9663-5348217f160f
Guest Configuration7066131b-61a6-4917-a7e4-72e8983f0aa6[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'
Guest Configurationba12366f-f9a6-42b8-9d98-157d0b1a837b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration985285b7-b97a-419c-8d48-c88cc934c8d8[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration815dcc9f-6662-43f2-9a03-1b83e9876f24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'
Guest Configuration7040a231-fb65-4412-8c0a-b365f4866c24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'
Guest Configuration1f8c20ce-3414-4496-8b26-0e902a1541da[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuratione3d95ab7-f47a-49d8-a347-784177b6c94c[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configurationf1f4825d-58fb-4257-8016-8c00e3c9ed9d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configurationf8b0158d-4766-490f-bea0-259e52dba473[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration7227ebe5-9ff7-47ab-b823-171cd02fb90f[Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliantThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant
Guest Configuration8e170edb-e0f5-497a-bb36-48b3280cec6a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration87b590fe-4a1d-4697-ae74-d4fe72ab786c[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration23020aa6-1135-4be2-bae2-149982b06eca[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 charactersThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration8a39d1f1-5513-4628-b261-f469a5a3341b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System settings'
Guest Configuration40917425-69db-4018-8dae-2a0556cef899[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'
Cognitive Services2bdd0062-9d75-436e-89df-487dd8e4b3c7Cognitive Services accounts should enable data encryptionThis policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-09 16:25:53
add: 2bdd0062-9d75-436e-89df-487dd8e4b3c7
Guest Configurationf4b245d4-46c9-42be-9b1a-49e2b5b94194[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days
Guest Configuration437a1f8f-8552-47a8-8b12-a2fee3269dd5[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'
Guest Configurationf48b2913-1dc5-4834-8c72-ccc1dfd819bb[Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled
Guest Configuration29829ec2-489d-4925-81b7-bda06b1718e0[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Audit Linux machines that are not using SSH key for authenticationRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-09 16:25:53
add: 630c64f9-8b6b-4c64-b511-6544ceff6fd6
Guest Configuration3470477a-b35a-49db-aca5-1073d04524fe[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords
Guest Configuration7229bd6a-693d-478a-87f0-1dc1af06f3b8[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration02a84be7-c304-421f-9bb7-5d2c26af54ad[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified oneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration3d7b154e-2700-4c8c-9e46-cb65ac1578c2[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Devices'
Guest Configurationc961dac9-5916-42e8-8fb1-703148323994[Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'User Rights Assignment'
Guest Configurationb18175dd-c599-4c64-83ba-bb018a06d35b[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration8ff0b18b-262e-4512-857a-48ad0aeb9a78[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryptionThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption
Guest Configuration9328f27e-611e-44a7-a244-39109d7d35ab[Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days
Guest Configurationcdbf72d9-ac9c-4026-8a3a-491a5ac59293[Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords
Guest Configuration5aa11bbc-5c76-4302-80e5-aba46a4282e7[Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 dayThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day
Guest Configurationc1e289c0-ffad-475d-a924-adc058765d65[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configurationf56a3ab2-89d1-44de-ac0d-2ada5962e22a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration356a906e-05e5-4625-8729-90771e0ee934[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days
Guest Configurationf19aa1c1-6b91-4c27-ae6a-970279f03db9[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644
Cognitive Services0725b4dd-7e76-479c-a735-68e7ee23d5caPublic network access should be disabled for Cognitive Services accountsThis policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-09 16:25:53
add: 0725b4dd-7e76-479c-a735-68e7ee23d5ca
Guest Configurationa9a33475-481d-4b81-9116-0bf02ffe67e8[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configurationa030a57e-4639-4e8f-ade9-a92f33afe7ee[Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expectedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration68511db2-bd02-41c4-ae6b-1900a012968a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expectedThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration16390df4-2f73-4b42-af13-c801066763df[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 dayThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day
Guest Configuration726671ac-c4de-4908-8c7d-6043ae62e3b6[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwordsThis policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords
Guest Configuration5bb36dda-8a78-4df9-affd-4f05a8612a8a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified oneThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration2d67222d-05fd-4526-a171-2ee132ad9e83[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords
Guest Configuration86880e5c-df35-43c5-95ad-7e120635775e[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration7e84ba44-6d03-46fd-950e-5efa5a1112fa[Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days
Guest Configurationbbcdd8fa-b600-4ee3-85b8-d184e3339652[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configurationf3b9ad83-000d-4dc1-bff0-6d54533dd03f[Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted RootThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configurationec7ac234-2af5-4729-94d2-c557c071799d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configurationdd4680ed-0559-4a6a-ad10-081d14cbb484[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'
SQL1b7aa243-30e4-4c9e-bca8-d0d3022b634aVulnerability assessment should be enabled on SQL Managed InstanceAudit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-08 18:42:36
change: Previous DisplayName: Vulnerability assessment should be enabled on your SQL managed instances
Security Centera7aca53f-2ed4-4466-a25e-0b45ade68efdAzure DDoS Protection Standard should be enabledDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-08 18:42:36
change: Previous DisplayName: DDoS Protection Standard should be enabled
SQLabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9Advanced data security should be enabled on SQL Managed InstanceAudit each SQL Managed Instance without advanced data security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-08 18:42:36
change: Previous DisplayName: Advanced data security should be enabled on your SQL managed instances
Security Center47a6b606-51aa-4496-8bb7-64b11cf66adcAdaptive application controls for defining safe applications should be enabled on your machinesEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-08 18:42:36
change: Previous DisplayName: Adaptive Application Controls should be enabled on virtual machines
Kubernetes servicea2d3ed81-8d11-4079-80a5-1faadc0024f4[Deprecated]: Ensure CPU and memory resource limits defined on containers in AKSThis policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS
Kubernetes servicea74d8f00-2fd9-4ce4-968e-0ee1eb821698[Deprecated]: Enforce internal load balancers in AKSThis policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce internal load balancers in AKS
Kubernetes service2fbff515-eecc-4b7e-9b63-fcc7138b7dc3[Deprecated]: Enforce HTTPS ingress in AKSThis policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce HTTPS ingress in AKS
Security Centerbd352bd5-2853-4985-bf0d-73806b4a5744IP Forwarding on your virtual machine should be disabledEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: [Preview]: IP Forwarding on your virtual machine should be disabled
Kubernetes serviced011d9f7-ba32-4005-b727-b3d09371ca60[Deprecated]: Enforce unique ingress hostnames across namespaces in AKSThis policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS
Kubernetes service5f86cb6e-c4da-441b-807c-44bd0cc14e66[Deprecated]: Ensure only allowed container images in AKSThis policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure only allowed container images in AKS
Kubernetes service25dee3db-6ce0-4c02-ab5d-245887b24077[Deprecated]: Ensure services listen only on allowed ports in AKSThis policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS
Cache22bee202-a82f-4305-9a2a-6d7f44d4dedbOnly secure connections to your Azure Cache for Redis should be enabledAudit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: Only secure connections to your Redis Cache should be enabled
Security Centerb0f33259-77d7-4c9e-aac6-3aabcfae693cManagement ports of virtual machines should be protected with just-in-time network access controlPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: Just-In-Time network access control should be applied on virtual machines
Kubernetes service16c6ca72-89d2-4798-b87e-496f9de7fcb7[Deprecated]: Enforce labels on pods in AKSThis policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce labels on pods in AKS
Kubernetes service0f636243-1b1c-4d50-880f-310f6199f2cb[Deprecated]: Ensure containers listen only on allowed ports in AKSThis policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS
Kubernetes service7ce7ac02-a5c6-45d6-8d1b-844feb1c1531[Deprecated]: Do not allow privileged containers in AKSThis policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Do not allow privileged containers in AKS
Security Centercdfcce10-4578-4ecd-9703-530938e4abcbDeploy export to Event Hub for Azure Security Center alerts and recommendationsEnable export to Event Hub of Azure Security Center alerts and/or recommendations. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: cdfcce10-4578-4ecd-9703-530938e4abcb
Security Center123a3936-f020-408a-ba0c-47873faf1534Allowlist rules in your adaptive application control policy should be updatedMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-05-29 15:39:09
add: 123a3936-f020-408a-ba0c-47873faf1534
Cognitive Services037eea7a-bd0a-46c5-9a66-03aea78705d3Cognitive Services accounts should restrict network accessNetwork access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-05-29 15:39:09
add: 037eea7a-bd0a-46c5-9a66-03aea78705d3
Security Centerffb6f416-7bd2-4488-8828-56585fef2be9Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendationsEnable export to Log Analytics workspace of Azure Security Center alerts and/or recommendations. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: ffb6f416-7bd2-4488-8828-56585fef2be9
Monitoringdeacecc0-9f84-44d2-bb82-46f32d766d43[Preview]: Deploy Dependency agent to hybrid Linux Azure Arc machinesThis policy deploys the Dependency agent to Linux Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-29 15:39:09
add: deacecc0-9f84-44d2-bb82-46f32d766d43
Security Centerf1525828-9a90-4fcf-be48-268cdd02361eDeploy Workflow Automation for Azure Security Center alertsEnable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: f1525828-9a90-4fcf-be48-268cdd02361e
Cosmos DB0b7ef78e-a035-4f23-b9bd-aff122a1b1cfAzure Cosmos DB throughput should be limitedThis policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. Default: deny
Allowed: (audit,deny,disabled)
none
2020-05-29 15:39:09
add: 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf
Monitoring91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4[Preview]: Deploy Dependency agent to Windows Azure Arc machinesThis policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Deploy Dependency agent to hybrid Windows VMs managed in Azure Arc
Monitoringd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e[Preview]: Log Analytics agent should be installed on your Windows Azure Arc machinesThis policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-05-29 15:39:09
add: d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e
Security Center73d6ab6c-2475-4850-afd6-43795f3492efDeploy Workflow Automation for Azure Security Center recommendationsEnable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: 73d6ab6c-2475-4850-afd6-43795f3492ef
Event Grid4b90e17e-8448-49db-875e-bd83fb6f804fAzure Event Grid topics should use private linksAudit Azure Event Grid topics that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
add: 4b90e17e-8448-49db-875e-bd83fb6f804f
Monitoring9d2b61b4-1d14-4a63-be30-d4498e7ad2cf[Preview]: Deploy Log Analytics agent to Linux Azure Arc machinesThis policy deploys the Log Analytics agent to Linux Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-29 15:39:09
add: 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203[Preview]: Deploy Log Analytics agent to Windows Azure Arc machinesThis policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Deploy Log Analytics agent to hybrid Windows VMs managed in Azure Arc
Cosmos DB4750c32b-89c0-46af-bfcb-2e4541a818d5Azure Cosmos DB key based metadata write access should be disabledThis policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. Fixed: appendnone
2020-05-29 15:39:09
add: 4750c32b-89c0-46af-bfcb-2e4541a818d5
Event Grid9830b652-8523-49cc-b1b3-e17dce1127caAzure Event Grid domains should use private linksAudit Azure Event Grid domains that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
add: 9830b652-8523-49cc-b1b3-e17dce1127ca
API Managementef619a2c-cc4d-4d03-b2ba-8c94a834d85bAPI Management services should use a virtual networkVirtual network on API Management services of the specified SKU should be enabled. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
add: ef619a2c-cc4d-4d03-b2ba-8c94a834d85b
Monitoring842c54e8-c2f9-4d79-ae8d-38d8b8019373[Preview]: Log Analytics agent should be installed on your Linux Azure Arc machinesThis policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-05-29 15:39:09
add: 842c54e8-c2f9-4d79-ae8d-38d8b8019373
Container Registrye8eef0a8-67cf-4eb4-9386-14b0e78733d4Container registries should use private linksAudit container registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Public access can then be disabled to ensure that only private links can be used to connect to the registry. For more information, visit: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should use private links
Container Registryd0793b48-0edc-4296-a390-4c75d1bdfd71Container registries should not allow unrestricted network accessAudit container registries that do not have any network or firewall (IP) rules configured and so allow all network access by default. Restricting network access protects container registries from potential threats. Container registries with at least one IP / firewall rule or configured virtual network are deemed compliant. For more information on Container Registry network rules, visit: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should not allow unrestricted network access
Container Registry5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580Container registries should be encrypted with a customer-managed key (CMK)Audit container registries that do not have encryption enabled with customer-managed keys (CMK). Azure automatically encrypts registry contents at rest with service-managed keys. You can supplement default encryption with an additional encryption layer using a key that you create and manage in Azure Key Vault. For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit,Disabled)
none
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should be encrypted with a Customer-Managed Key (CMK)
Cache7d092e0a-7acd-40d2-a975-dca21cae48c4Azure Cache for Redis should reside within a virtual networkAzure Cache for Redis has the ability to reside within a virtual network, which is a way for the resource to have a non-public endpoint controlled and managed by the user. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-05-21 16:06:38
add: 7d092e0a-7acd-40d2-a975-dca21cae48c4
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203[Preview]: Deploy Log Analytics agent to Windows Azure Arc machinesThis policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-21 16:06:38
add: 69af7d4a-7b18-4044-93a9-2651498ef203
Monitoring91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4[Preview]: Deploy Dependency agent to Windows Azure Arc machinesThis policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-13 05:56:52
add: 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4
Security Center6df2fee6-a9ed-4fef-bced-e13be1b25f1cEnable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2020-05-13 05:56:52
add: 6df2fee6-a9ed-4fef-bced-e13be1b25f1c
Machine Learning53c70b02-63dd-11ea-bc55-0242ac130003[Preview]: Configure allowed module authors for specified Azure Machine Learning computesThis policy helps provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-05-13 05:56:52
add: 53c70b02-63dd-11ea-bc55-0242ac130003
Machine Learning3948394e-63de-11ea-bc55-0242ac130003[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computesThis policy helps configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-05-13 05:56:52
add: 3948394e-63de-11ea-bc55-0242ac130003
Security Center8e7da0a5-0a0e-4bbc-bfc0-7773c018b616Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2020-05-13 05:56:52
add: 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616
Machine Learning5853517a-63de-11ea-bc55-0242ac130003[Preview]: Configure allowed registries for specified Azure Machine Learning computesThis policy helps provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-05-13 05:56:52
add: 5853517a-63de-11ea-bc55-0242ac130003
Machine Learning1d413020-63de-11ea-bc55-0242ac130003[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computesThis policy helps provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-05-13 05:56:52
add: 1d413020-63de-11ea-bc55-0242ac130003
Machine Learning77eeea86-7e81-4a7d-9067-de844d096752[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes This policy helps provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting,disabled)
none
2020-05-13 05:56:52
add: 77eeea86-7e81-4a7d-9067-de844d096752
Computecccc23c7-8427-4f53-ad12-b6a63eb452b3Allowed virtual machine size SKUsThis policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. Fixed: Denynone
2020-05-09 14:57:51
change: Previous DisplayName: Allowed virtual machine SKUs
Storage34c877ad-507e-4c82-993e-3452a6e0ad3cStorage accounts should restrict network accessNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2020-05-09 14:57:51
change: Previous DisplayName: Audit unrestricted network access to storage accounts
SQLd9844e8a-1437-4aeb-a32c-0c992f056095Public network access should be disabled for MySQL serversDisabling the public network access property improves security by ensuring your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit,Disabled)
none
2020-04-28 14:50:57
add: d9844e8a-1437-4aeb-a32c-0c992f056095
SQL83cef61d-dbd1-4b20-a4fc-5fbc7da10833Bring your own key data protection should be enabled for MySQL serversUsing customer-managed keys for encrypting data at rest in your Azure Database for MySQL database servers enables implementing a separation of duties in the management of keys and data. When you configure a customer-managed key, the key is used to protect and control access to the key that encrypts your data. You have full control and responsibility for the key lifecycle, including rotation and management. The use of customer-managed keys is sometimes required for compliance purposes. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-04-28 14:50:57
add: 83cef61d-dbd1-4b20-a4fc-5fbc7da10833
Container Registrye8eef0a8-67cf-4eb4-9386-14b0e78733d4Container registries should use private linksAudit container registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Public access can then be disabled to ensure that only private links can be used to connect to the registry. For more information, visit: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit,Disabled)
none
2020-04-28 14:50:57
add: e8eef0a8-67cf-4eb4-9386-14b0e78733d4
SQLb52376f7-9612-48a1-81cd-1ffe4b61032cPublic network access should be disabled for PostgreSQL serversDisabling the public network access property improves security by ensuring your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit,Disabled)
none
2020-04-28 14:50:57
add: b52376f7-9612-48a1-81cd-1ffe4b61032c
SQL18adea5e-f416-4d0f-8aa8-d24321e3e274Bring your own key data protection should be enabled for PostgreSQL serversUsing customer-managed keys for encrypting data at rest in your Azure Database for PostgreSQL database servers enables implementing a separation of duties in the management of keys and data. When you configure a customer-managed key, the key is used to protect and control access to the key that encrypts your data. You have full control and responsibility for the key lifecycle, including rotation and management. The use of customer-managed keys is sometimes required for compliance purposes. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-04-28 14:50:57
add: 18adea5e-f416-4d0f-8aa8-d24321e3e274
SQLfdccbe47-f3e3-4213-ad5d-ea459b2fa077Public network access should be disabled for MariaDB serversDisabling the public network access property improves security by ensuring your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit,Disabled)
none
2020-04-28 14:50:57
add: fdccbe47-f3e3-4213-ad5d-ea459b2fa077
Kubernetesb2fd3e59-6390-4f2b-8247-ea676bd03e2d[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes clusterThis policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Do not allow privileged containers in Kubernetes clusterThis policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Enforce labels on pods in Kubernetes clusterThis policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Ensure only allowed container images in Kubernetes clusterThis policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eEnforce internal load balancers in Kubernetes clusterThis policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes clusterThis policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcEnsure containers listen only on allowed ports in Kubernetes clusterThis policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dEnforce HTTPS ingress in Kubernetes clusterThis policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Ensure services listen only on allowed ports in Kubernetes clusterThis policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster
Monitoringe2dd799a-a932-4e9d-ac17-d473bc3c6c10Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlistedReports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExistsnone
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Dependency Agent Deployment in Virtual Machine Scale Sets - VM Image (OS) unlisted
Monitoring4da21710-ce6f-4e06-8cdb-5cc4c93ffbeeDeploy Dependency agent for Linux virtual machinesDeploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Linux VMs
Monitoring11ac78e3-31bc-4f0c-8434-37ab963cea07Audit Dependency agent deployment - VM Image (OS) unlistedReports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExistsnone
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted
Monitoring0868462e-646c-4fe3-9ced-a733534b6a2cDeploy Log Analytics agent for Windows VMsDeploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExistsLog Analytics Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows VMs
Monitoring765266ab-e40e-4c61-bcb2-5a5275d0b7c0Deploy Dependency agent for Linux virtual machine scale setsDeploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Linux Virtual Machine Scale Sets
Monitoring1c210e94-a481-4beb-95fa-1571b434fb04Deploy Dependency agent for Windows virtual machinesDeploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExistsLog Analytics Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Windows VMs
Monitoring053d3325-282c-4e5c-b944-24faffd30d77Deploy Log Analytics agent for Linux VMsDeploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux VMs
Monitoringf47b5582-33ec-4c5c-87c0-b010a6b2e917Audit Log Analytics workspace for VM - Report MismatchReports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. Fixed: auditnone
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Log Analytics Workspace for VM - Report Mismatch
Monitoring3be22e3b-d919-47aa-805e-8985dbeb0ad9Deploy Dependency agent for Windows virtual machine scale setsDeploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Windows Virtual Machine Scale Sets
Monitoring3c1b3629-c8f8-4bf6-862c-037cb9094038Deploy Log Analytics agent for Windows virtual machine scale setsDeploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows Virtual Machine Scale Sets
Monitoring5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069Deploy Log Analytics agent for Linux virtual machine scale setsDeploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux Virtual Machine Scale Sets
Monitoring5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlistedReports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExistsnone
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Log Analytics Agent Deployment in Virtual Machine Scale Sets - VM Image (OS) unlisted
Guest Configuration0d9b45ff-9ddd-43fc-bf59-fbd1c8423053[Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-03-17 09:22:59
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled
Networkfc5e4038-4584-4632-8c85-c0448d374b2c[Preview]: All Internet traffic should be routed via your deployed Azure FirewallAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-03-17 09:22:59
add: fc5e4038-4584-4632-8c85-c0448d374b2c
Guest Configuration6a7a2bcf-f9be-4e35-9734-4f9657a70f1d[Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabledThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-03-17 09:22:59
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Cosmos DB0473574d-2d43-4217-aefe-941fcdf7e684Azure Cosmos DB allowed locationsThis policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. Default: deny
Allowed: (deny,audit,disabled)
none
2020-03-17 09:22:59
add: 0473574d-2d43-4217-aefe-941fcdf7e684
Guest Configuration5fc23db3-dd4d-4c56-bcc7-43626243e601Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabledThis policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-03-17 09:22:59
add: 5fc23db3-dd4d-4c56-bcc7-43626243e601
Guest Configurationbed48b13-6647-468e-aa2f-1af1d3f4dd40Audit Windows machines on which Windows Defender Exploit Guard is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-03-17 09:22:59
add: bed48b13-6647-468e-aa2f-1af1d3f4dd40
Tags9ea02ca2-71db-412d-8b00-7c7ca9fcd32dAppend a tag and its value from the resource groupAppends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: appendnone
2020-03-10 16:29:49
change: Previous DisplayName: Append tag and its value from the resource group
Tags2a0e14a6-b0a6-4fab-991a-187a4f81c498Append a tag and its value to resourcesAppends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: appendnone
2020-03-10 16:29:49
change: Previous DisplayName: Append tag and its default value
Tags49c88fc8-6fd1-46fd-a676-f12d1d3a4c71Append a tag and its value to resource groupsAppends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: appendnone
2020-03-10 16:29:49
change: Previous DisplayName: Append tag and its default value to resource groups
Tags8ce3da23-7156-49e4-b145-24f95f9dcb46Require a tag and its value on resource groupsEnforces a required tag and its value on resource groups. Fixed: denynone
2020-03-10 16:29:49
change: Previous DisplayName: Require tag and its value on resource groups
Tags871b6d14-10aa-478d-b590-94f262ecfa99Require a tag on resourcesEnforces existence of a tag. Does not apply to resource groups. Fixed: denynone
2020-03-10 16:29:49
change: Previous DisplayName: Require specified tag
Tags96670d01-0a4d-4649-9c89-2d3abc0a5025Require a tag on resource groupsEnforces existence of a tag on resource groups. Fixed: denynone
2020-03-10 16:29:49
change: Previous DisplayName: Require specified tag on resource groups
Tags1e30110a-5ceb-460c-a204-c1c3969c6d62Require a tag and its value on resourcesEnforces a required tag and its value. Does not apply to resource groups. Fixed: denynone
2020-03-10 16:29:49
change: Previous DisplayName: Require tag and its value
Monitoring3be22e3b-d919-47aa-805e-8985dbeb0ad9Deploy Dependency agent for Windows virtual machine scale setsDeploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS)
Monitoring5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlistedReports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExistsnone
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted
Monitoring3c1b3629-c8f8-4bf6-862c-037cb9094038Deploy Log Analytics agent for Windows virtual machine scale setsDeploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)
Monitoringe2dd799a-a932-4e9d-ac17-d473bc3c6c10Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlistedReports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExistsnone
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted
Monitoring5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069Deploy Log Analytics agent for Linux virtual machine scale setsDeploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)
Monitoring765266ab-e40e-4c61-bcb2-5a5275d0b7c0Deploy Dependency agent for Linux virtual machine scale setsDeploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS)
SQL0a1302fb-a631-4106-9753-f3d494733990Private endpoint should be enabled for MariaDB serversPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: 0a1302fb-a631-4106-9753-f3d494733990
SQLdfbd9a64-6114-48de-a47d-90574dc2e489MariaDB server should use a virtual network service endpointVirtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: dfbd9a64-6114-48de-a47d-90574dc2e489
SQL3375856c-3824-4e0e-ae6a-79e011dd4c47MySQL server should use a virtual network service endpointVirtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: 3375856c-3824-4e0e-ae6a-79e011dd4c47
SQL7595c971-233d-4bcf-bd18-596129188c49Private endpoint should be enabled for MySQL serversPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: 7595c971-233d-4bcf-bd18-596129188c49
SQL0564d078-92f5-4f97-8398-b9f58a51f70bPrivate endpoint should be enabled for PostgreSQL serversPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: 0564d078-92f5-4f97-8398-b9f58a51f70b
SQL3c14b034-bcb6-4905-94e7-5b8e98a47b65PostgreSQL server should use a virtual network service endpointVirtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-27 09:26:21
add: 3c14b034-bcb6-4905-94e7-5b8e98a47b65
Security Center1a833ff1-d297-4a0f-9944-888428f8e0ff[Deprecated]: Access to App Services should be restrictedAzure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-25 11:29:35
change: Previous DisplayName: [Preview]: Access to App Services should be restricted
Tags40df99da-1232-49b1-a39a-6da8d878f469Inherit a tag from the subscription if missingAdds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Fixed: modifyContributor
2020-02-20 08:25:18
add: 40df99da-1232-49b1-a39a-6da8d878f469
Security Center201ea587-7c90-41c3-910f-c280ae01cfd6[Deprecated]: Web ports should be restricted on Network Security Groups associated to your VMAzure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-20 08:25:18
change: Previous DisplayName: Web ports should be restricted on Network Security Groups associated to your VM
Tagsb27a0cbd-a167-4dfa-ae64-4337be671140Inherit a tag from the subscriptionAdds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Fixed: modifyContributor
2020-02-20 08:25:18
add: b27a0cbd-a167-4dfa-ae64-4337be671140
Container Registry5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580Container registries should be encrypted with a customer-managed key (CMK)Audit container registries that do not have encryption enabled with customer-managed keys (CMK). Azure automatically encrypts registry contents at rest with service-managed keys. You can supplement default encryption with an additional encryption layer using a key that you create and manage in Azure Key Vault. For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit,Disabled)
none
2020-02-12 02:52:44
add: 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580
Backupc717fb0c-d118-4c43-ab3d-ece30ac81fb3[Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. Fixed: deployIfNotExistsMonitoring Contributor
Log Analytics Contributor
2020-02-12 02:52:44
add: c717fb0c-d118-4c43-ab3d-ece30ac81fb3
App Platform0f2d8593-4667-4932-acca-6a9f187af109[Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabledDistributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. Default: Audit
Allowed: (Audit,Disabled)
none
2020-02-12 02:52:44
add: 0f2d8593-4667-4932-acca-6a9f187af109
App Configurationca610c1d-041c-4332-9d88-7ed3094967c7App Configuration should use a private linkPrivate endpoint connections allow clients on a virtual network to securely access Azure App Configuration over a private link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-12 02:52:44
add: ca610c1d-041c-4332-9d88-7ed3094967c7
App Configuration967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1App Configuration should use a customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit,Disabled)
none
2020-02-12 02:52:44
add: 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1
Container Registryd0793b48-0edc-4296-a390-4c75d1bdfd71Container registries should not allow unrestricted network accessAudit container registries that do not have any network or firewall (IP) rules configured and so allow all network access by default. Restricting network access protects container registries from potential threats. Container registries with at least one IP / firewall rule or configured virtual network are deemed compliant. For more information on Container Registry network rules, visit: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit,Disabled)
none
2020-02-12 02:52:44
add: d0793b48-0edc-4296-a390-4c75d1bdfd71
App Service9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bcEnsure that 'Java version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-02-08 03:50:24
change: Previous DisplayName: Ensure that 'Java version' is the latest, if used as a part of the Funtion app
Guest Configurationf1f4825d-58fb-4257-8016-8c00e3c9ed9d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-02-08 03:50:24
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)'
Guest Configuration97646672-5efa-4622-9b54-740270ad60bf[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExistsnone
2020-02-08 03:50:24
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)'
Networke372f825-a257-4fb8-9175-797a8a8627d6RDP access from the Internet should be blockedThis policy audits any network security rule that allows RDP access from Internet Default: Audit
Allowed: (Audit,Disabled)
none
2020-01-29 21:53:30
add: e372f825-a257-4fb8-9175-797a8a8627d6
Monitoringb954148f-4c11-4c38-8221-be76711e194aAn activity log alert should exist for specific Administrative operationsThis policy audits specific Administrative operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-29 21:53:30
add: b954148f-4c11-4c38-8221-be76711e194a
Monitoring3b980d31-7904-4bb7-8575-5665739a8052An activity log alert should exist for specific Security operationsThis policy audits specific Security operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-29 21:53:30
add: 3b980d31-7904-4bb7-8575-5665739a8052
Security Centerac076320-ddcf-4066-b451-6154267e8ad2Enable Azure Security Center on your subscriptionIdentifies existing subscriptions that are not monitored by Azure Security Center (ASC). Subscriptions not monitored by ASC will be registered to the free pricing tier. Subscriptions already monitored by ASC (free or standard), will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. Fixed: deployIfNotExistsSecurity Admin
2020-01-29 21:53:30
add: ac076320-ddcf-4066-b451-6154267e8ad2
Network2c89a2e5-7285-40fe-afe0-ae8654b92fabSSH access from the Internet should be blockedThis policy audits any network security rule that allows SSH access from Internet Default: Audit
Allowed: (Audit,Disabled)
none
2020-01-29 21:53:30
add: 2c89a2e5-7285-40fe-afe0-ae8654b92fab
Monitoringc5447c04-a4d7-4ba8-a263-c9ee321a6858An activity log alert should exist for specific Policy operationsThis policy audits specific Policy operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-29 21:53:30
add: c5447c04-a4d7-4ba8-a263-c9ee321a6858
Security Centeraf8051bf-258b-44e2-a2bf-165330459f9d[Deprecated]: Monitor unaudited SQL servers in Azure Security CenterSQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: 'Auditing should be enabled on advanced data security settings on SQL Server' Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-29 05:56:46
change: Previous DisplayName: [Deprecated] Monitor unaudited SQL servers in Azure Security Center
Security Centera8bef009-a5c9-4d0f-90d7-6018734e8a16[Deprecated]: Monitor unencrypted SQL databases in Azure Security CenterUnencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent Data Encryption on SQL databases should be enabled' Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-29 05:56:46
change: Previous DisplayName: [Deprecated] Monitor unencrypted SQL databases in Azure Security Center
Security Center08e6af2d-db70-460a-bfe9-d5bd474ba9d6Adaptive Network Hardening recommendations should be applied on internet facing virtual machinesAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-10 16:39:23
change: Previous DisplayName: Network Security Group Rules for Internet facing virtual machines should be hardened
Security Centerf6de0be7-9a8a-4b8a-b349-43cf02d22f7cInternet-facing virtual machines should be protected with network security groupsProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-10 16:39:23
change: Previous DisplayName: Virtual machines should be associated with a Network Security Group
SQLa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9Auditing on SQL server should be enabledAuditing on your SQL Server should be enabled to track database activities across all databases on the server, except Synapse, and save them in an audit log. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-10 16:39:23
change: Previous DisplayName: Auditing should be enabled on advanced data security settings on SQL Server
Security Center201ea587-7c90-41c3-910f-c280ae01cfd6[Deprecated]: Web ports should be restricted on Network Security Groups associated to your VMAzure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports Default: Disabled
Allowed: (AuditIfNotExists,Disabled)
none
2020-01-10 16:39:23
change: Previous DisplayName: The NSGs rules for web applications on IaaS should be hardened
Guest Configuration1f8c20ce-3414-4496-8b26-0e902a1541da[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration42a07bbf-ffcf-459a-b4b1-30ecd118a505[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration815dcc9f-6662-43f2-9a03-1b83e9876f24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'User Rights Assignment'
Guest Configurationc1e289c0-ffad-475d-a924-adc058765d65[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration7040a231-fb65-4412-8c0a-b365f4866c24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Windows Components'
Guest Configurationce2370f6-0ac5-4d85-8ab4-10721cc640b0[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration8e170edb-e0f5-497a-bb36-48b3280cec6a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration437a1f8f-8552-47a8-8b12-a2fee3269dd5[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - System settings'
Guest Configuration985285b7-b97a-419c-8d48-c88cc934c8d8[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration6481cc21-ed6e-4480-99dd-ea7c5222e897[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configurationc04255ee-1b9f-42c1-abaa-bf1553f79930[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configurationf1f4825d-58fb-4257-8016-8c00e3c9ed9d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)'
Guest Configurationec7ac234-2af5-4729-94d2-c557c071799d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configurationf56a3ab2-89d1-44de-ac0d-2ada5962e22a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration0a9991e6-21be-49f9-8916-a06d934bcf29[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configurationf8b0158d-4766-490f-bea0-259e52dba473[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration36e17963-7202-494a-80c3-f508211c826b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration97b595c8-fd10-400e-8543-28e2b9138b13[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configurationddc0a4d5-5e08-43d5-9fd9-b586d8d7116b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration3750712b-43d0-478e-9966-d2c26f6141b9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuratione5b81f87-9185-4224-bf00-9f505e9f89f3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Accounts'
Guest Configurationbbcdd8fa-b600-4ee3-85b8-d184e3339652[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration498b810c-59cd-4222-9338-352ba146ccf3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Audit'
Guest Configuratione425e402-a050-45e5-b010-bd3f934589fc[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration40917425-69db-4018-8dae-2a0556cef899[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration86880e5c-df35-43c5-95ad-7e120635775e[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration909c958d-1b99-4c74-b88f-46a5c5bc34f9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuratione3d95ab7-f47a-49d8-a347-784177b6c94c[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration12ae2d24-3805-4b37-9fa9-465968bfbcfa[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - System objects'
App Servicec4ebc54a-46e1-481a-bee2-d4411e95d828Authentication should be enabled on your API appAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-12-11 09:18:30
add: c4ebc54a-46e1-481a-bee2-d4411e95d828
Monitoringfbb99e8e-e444-4da0-9ff1-75c92f5a85b2Storage account containing the container with activity logs must be encrypted with BYOKThis policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-12-11 09:18:30
add: fbb99e8e-e444-4da0-9ff1-75c92f5a85b2
Backup013e242c-8828-4970-87b3-ab247555486dAzure Backup should be enabled for Virtual MachinesEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-12-11 09:18:30
add: 013e242c-8828-4970-87b3-ab247555486d
App Service95bccee9-a7f8-4bec-9ee9-62c3473701fcAuthentication should be enabled on your web appAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-12-11 09:18:30
add: 95bccee9-a7f8-4bec-9ee9-62c3473701fc
Guest Configuration6141c932-9384-44c6-a395-59e4c057d7c9Configure time zone on Windows machines.This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExistsContributor
2019-12-11 09:18:30
change: Previous DisplayName: Configure time zone on Windows machines.
App Servicec75248c1-ea1d-4a9c-8fc9-29a6aabd5da8Authentication should be enabled on your Function appAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-12-11 09:18:30
add: c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8
Monitoring04c4380f-3fae-46e8-96c9-30193528f602[Preview]: Network traffic data collection agent should be installed on Linux virtual machinesSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-27 16:06:41
add: 04c4380f-3fae-46e8-96c9-30193528f602
Monitoring2f2ee1de-44aa-4762-b6bd-0893fc3f306d[Preview]: Network traffic data collection agent should be installed on Windows virtual machinesSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-27 16:06:41
add: 2f2ee1de-44aa-4762-b6bd-0893fc3f306d
Key Vault1151cede-290b-4ba0-8b38-0ad145ac888f[Preview]: Certificates should use allowed key typesManage your organizational compliance requirements by restricting the key types allowed for certificates. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should have the specified key types
Key Vaulta22f4a40-01d3-4c7d-8071-da157eeff341[Preview]: Certificates should be issued by the specified non-integrated certificate authorityManage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should be issued by an approved custom Certificate Authority provider
Key Vault12ef42cb-9903-4e39-9c26-422d29570417[Preview]: Certificates should have the specified lifetime action triggersManage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should have the specified lifetime action trigger
Key Vaultcee51871-e572-4576-855c-047c820360f0[Preview]: Certificates using RSA cryptography should have the specified minimum key sizeManage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificate key sizes should be sufficiently large
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on VMs of a location to an existing central Vault in the same locationThis policy configures Azure Backup protection on VMs in a given location to an existing central vault in the same location. It applies to only those VMs that are not already configured for backup. It is recommended that this policy is assigned to not more than 200 VMs. If the policy is assigned for more than 200 VMs, it can result in the backup getting triggered a few hours beyond the defined schedule. This policy will be enhanced to support more VM images. Default: deployIfNotExists
Allowed: (deployIfNotExists,auditIfNotExists,disabled)
Virtual Machine Contributor
Backup Contributor
2019-11-19 11:26:09
change: Previous DisplayName: Deploy prerequisites to backup VMs of a location to an existing central Vault in the same location
Key Vault0a075868-4c26-42ef-914c-5bc007359560[Preview]: Certificates should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should not have a lengthy validity period
Key Vaultf772fb64-8e40-40ad-87bc-7706e1949427[Preview]: Certificates should not expire within the specified number of daysManage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should not expire in the specified number of days
Key Vault8e826246-c976-48f6-b03e-619bb92b3d82[Preview]: Certificates should be issued by the specified integrated certificate authorityManage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should be issued by an approved Azure Key Vault supported Certificate Authority provider
App Servicee567365d-4228-430f-ac39-7d5d46e617acEnsure API app is using the latest version of TLS encryptionThe TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.n/an/a
2019-11-12 19:11:12
remove: e567365d-4228-430f-ac39-7d5d46e617ac (i)
App Service991310cd-e9f3-47bc-b7b6-f57b557d07dbEnsure that 'HTTP Version' is the latest, if used to run the Api appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 991310cd-e9f3-47bc-b7b6-f57b557d07db
App Service58d94fc1-a072-47c2-bd37-9cdb38e77453[Deprecated]: Ensure Function app is using the latest version of TLS encryptionPlease use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: Ensure Function app is using the latest version of TLS encryption
Kubernetes servicea74d8f00-2fd9-4ce4-968e-0ee1eb821698[Deprecated]: Enforce internal load balancers in AKSThis policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce internal load balancers in AKS
Kubernetes service16c6ca72-89d2-4798-b87e-496f9de7fcb7[Deprecated]: Enforce labels on pods in AKSThis policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce labels on pods in AKS
App Servicef0473e7a-a1ba-4e86-afb2-e829e11b01d8[Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function AppThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: f0473e7a-a1ba-4e86-afb2-e829e11b01d8
App Service0c192fe8-9cbb-4516-85b3-0ade8bd03886Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit,Disabled)
none
2019-11-12 19:11:12
add: 0c192fe8-9cbb-4516-85b3-0ade8bd03886
App Service7008174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 7008174a-fd10-4ef0-817e-fc820a951d73
App Service88999f4c-376a-45c8-bcb3-4058f713cf39Ensure that 'Java version' is the latest, if used as a part of the Api appPeriodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 88999f4c-376a-45c8-bcb3-4058f713cf39
App Service6ad61431-88ce-4357-a0e1-6da43f292bd7[Deprecated]: Ensure WEB app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: Ensure WEB app is using the latest version of TLS encryption
App Service7261b898-8a84-4db8-9e04-18527132abb3Ensure that 'PHP version' is the latest, if used as a part of the WEB appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 7261b898-8a84-4db8-9e04-18527132abb3
App Service7238174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 7238174a-fd10-4ef0-817e-fc820a951d73
Kubernetes service25dee3db-6ce0-4c02-ab5d-245887b24077[Deprecated]: Ensure services listen only on allowed ports in AKSThis policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure services listen only on allowed ports in AKS
App Service10c1859c-e1a7-4df3-ab97-a487fa8059f6[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function AppThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 10c1859c-e1a7-4df3-ab97-a487fa8059f6
Kubernetes service0f636243-1b1c-4d50-880f-310f6199f2cb[Deprecated]: Ensure containers listen only on allowed ports in AKSThis policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure containers listen only on allowed ports in AKS
App Service843664e0-7563-41ee-a9cb-7522c382d2c4[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web appThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 843664e0-7563-41ee-a9cb-7522c382d2c4
App Serviceab965db2-d2bf-4b64-8b39-c38ec8179461[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function appPHP cannot be used with Function apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: ab965db2-d2bf-4b64-8b39-c38ec8179461
App Servicec2e7ca55-f62c-49b2-89a4-d41eb661d2f0[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API appThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: c2e7ca55-f62c-49b2-89a4-d41eb661d2f0
Kubernetes service2fbff515-eecc-4b7e-9b63-fcc7138b7dc3[Deprecated]: Enforce HTTPS ingress in AKSThis policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce HTTPS ingress in AKS
Kubernetes service7ce7ac02-a5c6-45d6-8d1b-844feb1c1531[Deprecated]: Do not allow privileged containers in AKSThis policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Do not allow privileged containers in AKS
App Service5bb220d9-2698-4ee4-8404-b9c30c9df609Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit,Disabled)
none
2019-11-12 19:11:12
add: 5bb220d9-2698-4ee4-8404-b9c30c9df609
App Service496223c3-ad65-4ecd-878a-bae78737e9edEnsure that 'Java version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 496223c3-ad65-4ecd-878a-bae78737e9ed
Kubernetes serviced011d9f7-ba32-4005-b727-b3d09371ca60[Deprecated]: Enforce unique ingress hostnames across namespaces in AKSThis policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce unique ingress hostnames across namespaces in AKS
App Service1bc1795e-d44a-4d48-9b3b-6fff0fd5f9baEnsure that 'PHP version' is the latest, if used as a part of the Api appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba
App Serviceeaebaea7-8013-4ceb-9d14-7eb32271373cEnsure Function app has 'Client Certificates (Incoming client certificates)' set to 'On'Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit,Disabled)
none
2019-11-12 19:11:12
add: eaebaea7-8013-4ceb-9d14-7eb32271373c
App Service9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bcEnsure that 'Java version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc
App Service74c3584d-afae-46f7-a20a-6f8adba71a16Ensure that 'Python version' is the latest, if used as a part of the Api appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Api apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 74c3584d-afae-46f7-a20a-6f8adba71a16
App Service86d97760-d216-4d81-a3ad-163087b2b6c3[Deprecated]: Ensure that Register with Azure Active Directory is enabled on API appThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 86d97760-d216-4d81-a3ad-163087b2b6c3
Kubernetes servicea2d3ed81-8d11-4079-80a5-1faadc0024f4[Deprecated]: Ensure CPU and memory resource limits defined on containers in AKSThis policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure CPU and memory resource limits defined on containers in AKS
App Serviceaa81768c-cb87-4ce2-bfaa-00baa10d760c[Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB AppThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: aa81768c-cb87-4ce2-bfaa-00baa10d760c
Kubernetes service5f86cb6e-c4da-441b-807c-44bd0cc14e66[Deprecated]: Ensure only allowed container images in AKSThis policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
none
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure only allowed container images in AKS
App Service8c122334-9d20-4eb8-89ea-ac9a705b74aeEnsure that 'HTTP Version' is the latest, if used to run the Web appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: 8c122334-9d20-4eb8-89ea-ac9a705b74ae
App Servicee2c1c086-2d84-4019-bff3-c44ccd95113cEnsure that 'HTTP Version' is the latest, if used to run the Function appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-11-12 19:11:12
add: e2c1c086-2d84-4019-bff3-c44ccd95113c
Key Vaultbd78111f-4953-4367-9fd5-7e08808b54bf[Preview]: Certificates using elliptic curve cryptography should have allowed curve namesManage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: audit
Allowed: (audit,deny,disabled)
none
2019-11-02 10:12:34
add: bd78111f-4953-4367-9fd5-7e08808b54bf
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcEnsure containers listen only on allowed ports in Kubernetes clusterThis policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: 440b515e-a580-421e-abeb-b159a61ddcbc
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Do not allow privileged containers in Kubernetes clusterThis policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: 95edb821-ddaf-4404-9732-666045e056b4
Monitoringc84e5349-db6d-4769-805e-e14037dab9b5Deploy Diagnostic Settings for Batch Account to Log Analytics workspaceDeploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: c84e5349-db6d-4769-805e-e14037dab9b5
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes clusterThis policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: e345eecc-fa47-480f-9e88-67dcc122b164
Monitoring6b51af03-9277-49a9-a3f8-1c69c9ff7403Deploy Diagnostic Settings for Service Bus to Event HubDeploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: 6b51af03-9277-49a9-a3f8-1c69c9ff7403
Monitoringe8d096bc-85de-4c5f-8cfb-857bd1b9d62dDeploy Diagnostic Settings for Data Lake Storage Gen1 to Event HubDeploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: e8d096bc-85de-4c5f-8cfb-857bd1b9d62d
Monitoringedf3780c-3d70-40fe-b17e-ab72013dafcaDeploy Diagnostic Settings for Stream Analytics to Event HubDeploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: edf3780c-3d70-40fe-b17e-ab72013dafca
App Servicef0e6e85b-9b9f-4a4b-b67b-f730d42f1b0bLatest TLS version should be used in your Web AppUpgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b
Monitoring25763a0a-5783-4f14-969e-79d4933eb74bDeploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspaceDeploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: 25763a0a-5783-4f14-969e-79d4933eb74b
Monitoringa1dae6c7-13f3-48ea-a149-ff8442661f60Deploy Diagnostic Settings for Logic Apps to Event HubDeploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: a1dae6c7-13f3-48ea-a149-ff8442661f60
Monitoringdb51110f-0865-4a6e-b274-e2e07a5b2cd7Deploy Diagnostic Settings for Batch Account to Event HubDeploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: db51110f-0865-4a6e-b274-e2e07a5b2cd7
SQL48af4db5-9b8b-401c-8e74-076be876a430Geo-redundant backup should be enabled for Azure Database for PostgreSQLAzure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-29 23:04:36
add: 48af4db5-9b8b-401c-8e74-076be876a430
Monitoring1f6e93e8-6b31-41b1-83f6-36e449a42579Deploy Diagnostic Settings for Event Hub to Log Analytics workspaceDeploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: 1f6e93e8-6b31-41b1-83f6-36e449a42579
Monitoring237e0f7e-b0e8-4ec4-ad46-8c12cb66d673Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspaceDeploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673
SQL82339799-d096-41ae-8538-b108becf0970Geo-redundant backup should be enabled for Azure Database for MySQLAzure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-29 23:04:36
add: 82339799-d096-41ae-8538-b108becf0970
Managed Application17763ad9-70c0-4794-9397-53d765932634Deploy associations for a managed applicationDeploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. Fixed: deployIfNotExistsContributor
2019-10-29 23:04:36
add: 17763ad9-70c0-4794-9397-53d765932634
Monitoringb889a06c-ec72-4b03-910a-cb169ee18721Deploy Diagnostic Settings for Logic Apps to Log Analytics workspaceDeploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: b889a06c-ec72-4b03-910a-cb169ee18721
Monitoringbef3f64c-5290-43b7-85b0-9b254eef4c47Deploy Diagnostic Settings for Key Vault to Log Analytics workspaceDeploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: bef3f64c-5290-43b7-85b0-9b254eef4c47
App Service9a1b8c48-453a-4044-86c3-d8bfd823e4f5FTPS only should be required in your API AppEnable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: 9a1b8c48-453a-4044-86c3-d8bfd823e4f5
Monitoring3d5da587-71bd-41f5-ac95-dd3330c2d58dDeploy Diagnostic Settings for Search Services to Event HubDeploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: 3d5da587-71bd-41f5-ac95-dd3330c2d58d
App Service0da106f2-4ca3-48e8-bc85-c638fe6aea8fManaged identity should be used in your Function AppUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: 0da106f2-4ca3-48e8-bc85-c638fe6aea8f
Lighthouse76bed37b-484f-430f-a009-fd7592dff818Audit delegation of scopes to a managing tenantAudit delegation of scopes to a managing tenant via Azure Lighthouse. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-29 23:04:36
add: 76bed37b-484f-430f-a009-fd7592dff818
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2019-10-29 23:04:36
add: fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50
Monitoringef7b61ef-b8e4-4c91-8e78-6946c6b0023fDeploy Diagnostic Settings for Event Hub to Event HubDeploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: ef7b61ef-b8e4-4c91-8e78-6946c6b0023f
Storagebf045164-79ba-4215-8f95-f8048dc1780bGeo-redundant storage should be enabled for Storage AccountsThis policy audits any Storage Account with geo-redundant storage not enabled. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-29 23:04:36
add: bf045164-79ba-4215-8f95-f8048dc1780b
App Servicec4d441f8-f9d9-4a9e-9cef-e82117cb3eefManaged identity should be used in your API AppUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: c4d441f8-f9d9-4a9e-9cef-e82117cb3eef
App Service399b2637-a50f-4f95-96f8-3a145476eb15FTPS only should be required in your Function AppEnable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: 399b2637-a50f-4f95-96f8-3a145476eb15
SQLd38fc420-0735-4ef3-ac11-c806f651a570Long-term geo-redundant backup should be enabled for Azure SQL DatabasesThis policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: d38fc420-0735-4ef3-ac11-c806f651a570
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Ensure only allowed container images in Kubernetes clusterThis policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: febd0533-8e55-448f-b837-bd0e06f16469
Monitoring04d53d87-841c-4f23-8a5b-21564380b55eDeploy Diagnostic Settings for Service Bus to Log Analytics workspaceDeploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: 04d53d87-841c-4f23-8a5b-21564380b55e
Kubernetesb2fd3e59-6390-4f2b-8247-ea676bd03e2d[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes clusterThis policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: b2fd3e59-6390-4f2b-8247-ea676bd03e2d
App Servicef9d614c5-c173-4d56-95a7-b4437057d193Latest TLS version should be used in your Function AppUpgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: f9d614c5-c173-4d56-95a7-b4437057d193
App Service2b9ad585-36bc-4615-b300-fd4435808332Managed identity should be used in your Web AppUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: 2b9ad585-36bc-4615-b300-fd4435808332
Monitoringd56a5a7c-72d7-42bc-8ceb-3baf4c0eae03Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspaceDeploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Enforce labels on pods in Kubernetes clusterThis policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: 46592696-4c7b-4bf3-9e45-6c2763bdc0a6
App Service4d24b6d4-5e53-4a4f-a7f4-618fa573ee4bFTPS should be required in your Web AppEnable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dEnforce HTTPS ingress in Kubernetes clusterThis policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2019-10-29 23:04:36
add: 0ecd903d-91e7-4726-83d3-a229d7f2e293
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eEnforce internal load balancers in Kubernetes clusterThis policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e
Monitoring08ba64b8-738f-4918-9686-730d2ed79c7dDeploy Diagnostic Settings for Search Services to Log Analytics workspaceDeploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: 08ba64b8-738f-4918-9686-730d2ed79c7d
SQL0ec47710-77ff-4a3d-9181-6aa50af424d0Geo-redundant backup should be enabled for Azure Database for MariaDBAzure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-29 23:04:36
add: 0ec47710-77ff-4a3d-9181-6aa50af424d0
Custom Providerc15c281f-ea5c-44cd-90b8-fc3c14d13f0cDeploy associations for a custom providerDeploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. Fixed: deployIfNotExistsContributor
2019-10-29 23:04:36
add: c15c281f-ea5c-44cd-90b8-fc3c14d13f0c
Monitoring4daddf25-4823-43d4-88eb-2419eb6dcc08Deploy Diagnostic Settings for Data Lake Analytics to Event HubDeploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists,Disabled)
Contributor
2019-10-29 23:04:36
add: 4daddf25-4823-43d4-88eb-2419eb6dcc08
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Ensure services listen only on allowed ports in Kubernetes clusterThis policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit,deny,disabled)
none
2019-10-29 23:04:36
add: 233a2a17-77ca-4fb1-9b6b-69223d272a44
e567365d-4228-430f-ac39-7d5d46e617ac Fixed: none
2019-10-29 23:04:36
add: e567365d-4228-430f-ac39-7d5d46e617ac
App Service8cb6aa8b-9e41-4f4e-aa25-089a7ac2581eLatest TLS version should be used in your API AppUpgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-29 23:04:36
add: 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e
SQL464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf[Deprecated]: Require SQL Server version 12.0This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version other than 12.0. Fixed: Denynone
2019-10-29 21:52:54
change: Previous DisplayName: Require SQL Server version 12.0
Network235359c5-7c52-4b82-9055-01c75cf9f60eService Bus should use a virtual network service endpointThis policy audits any Service Bus not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: 235359c5-7c52-4b82-9055-01c75cf9f60e
Monitoringa70ca396-0a34-413a-88e1-b956c1e683beThe Log Analytics agent should be installed on virtual machinesThis policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: a70ca396-0a34-413a-88e1-b956c1e683be
Networkea4d6841-2173-4317-9747-ff522a45120fKey Vault should use a virtual network service endpointThis policy audits any Key Vault not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-11 00:02:54
add: ea4d6841-2173-4317-9747-ff522a45120f
Networkd416745a-506c-48b6-8ab1-83cb814bcaa3Virtual machines should be connected to an approved virtual networkThis policy audits any virtual machine connected to a virtual network that is not approved. Default: Audit
Allowed: (Audit,Deny,Disabled)
none
2019-10-11 00:02:54
add: d416745a-506c-48b6-8ab1-83cb814bcaa3
Monitoringefbde977-ba53-4479-b8e9-10b957924fbfThe Log Analytics agent should be installed on Virtual Machine Scale SetsThis policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: efbde977-ba53-4479-b8e9-10b957924fbf
Network2d21331d-a4c2-4def-a9ad-ee4e1e023bebApp Service should use a virtual network service endpointThis policy audits any App Service not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: 2d21331d-a4c2-4def-a9ad-ee4e1e023beb
Networkf1776c76-f58c-4245-a8d0-2b207198dc8bVirtual networks should use specified virtual network gatewayThis policy audits any virtual network if the default route does not point to the specified virtual network gateway. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: f1776c76-f58c-4245-a8d0-2b207198dc8b
Network60d21c4f-21a3-4d94-85f4-b924e6aeeda4Storage Accounts should use a virtual network service endpointThis policy audits any Storage Account not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-11 00:02:54
add: 60d21c4f-21a3-4d94-85f4-b924e6aeeda4
Networke0a2b1a3-f7f9-4569-807f-2a9edebdf4d9Cosmos DB should use a virtual network service endpointThis policy audits any Cosmos DB not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-11 00:02:54
add: e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9
Networkc4857be7-912a-4c75-87e6-e30292bcdf78[Preview]: Container Registry should use a virtual network service endpointThis policy audits any Container Registry not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit,Disabled)
none
2019-10-11 00:02:54
add: c4857be7-912a-4c75-87e6-e30292bcdf78
Networkae5d2f14-d830-42b6-9899-df6cfe9c71a3SQL Server should use a virtual network service endpointThis policy audits any SQL Server not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: ae5d2f14-d830-42b6-9899-df6cfe9c71a3
Networkd63edb4a-c612-454d-b47d-191a724fcbf0Event Hub should use a virtual network service endpointThis policy audits any Event Hub not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-11 00:02:54
add: d63edb4a-c612-454d-b47d-191a724fcbf0
Tagsac7e5fc0-c029-4b12-91d4-a8500ce697f9[Deprecated]: Allow resource creation if 'environment' tag value in allowed valuesAllows resource creation if the 'environment' tag is set to one of the following values: production, dev, test, staging Fixed: Denynone
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation if 'environment' tag value in allowed values
General94c19f19-8192-48cd-a11b-e37099d3e36b[Deprecated]: Allow resource creation only in European data centersAllows resource creation in the following locations only: North Europe, West Europe Fixed: Denynone
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in European data centers
SQL06a78e20-9358-41c9-923c-fb736d382a12[Deprecated]: Audit SQL DB Level Audit SettingAudit DB level audit setting for SQL databases Fixed: AuditIfNotExistsnone
2019-10-08 15:55:12
change: Previous DisplayName: Audit SQL DB Level Audit Setting
Compute3d8640fc-63f6-4734-8dcb-cfd3d8c78f38[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMsThis policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the selected Log Analytics workspace Fixed: deployIfNotExistsLog Analytics Contributor
2019-10-08 15:55:12
change: Previous DisplayName: Deploy default Log Analytics Agent for Ubuntu VMs
Generalc1b9cbed-08e3-427d-b9ce-7c535b1e9b94[Deprecated]: Allow resource creation only in Asia data centersAllows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West Fixed: Denynone
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in Asia data centers
6fdb9205-3462-4cfc-87d8-16c7860b53f4 Fixed: none
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in Japan data centers
Security Centerabcc6037-1fc4-47f6-aac5-89706589be24[Deprecated]: Automatic provisioning of security monitoring agentInstalls security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center. Fixed: AuditIfNotExistsnone
2019-10-08 15:55:12
change: Previous DisplayName: Automatic provisioning of security monitoring agent
e01598e8-6538-41ed-95e8-8b29746cd697 Fixed: none
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in Japan data centers
General5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54[Deprecated]: Allow resource creation only in India data centersAllows resource creation in the following locations only: West India, South India, Central India Fixed: Denynone
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in India data centers
Tagscd8dc879-a2ae-43c3-8211-1877c5755064[Deprecated]: Allow resource creation if 'department' tag setAllows resource creation only if the 'department' tag is set Fixed: Denynone
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation if 'department' tag set
General983211ba-f348-4758-983b-21fa29294869[Deprecated]: Allow resource creation only in United States data centersAllows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US Fixed: Denynone
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in United States data centers
SQL057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9Vulnerability Assessment settings for SQL server should contain an email address to receive scan reportsEnsure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-03 22:58:00
add: 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9
SQLeb6f77b9-bd53-4e35-a23d-7f65d5f0e442Log connections should be enabled for PostgreSQL database serversThis policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e442
SQLeb6f77b9-bd53-4e35-a23d-7f65d5f0e43dLog checkpoints should be enabled for PostgreSQL database serversThis policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d
SQLeb6f77b9-bd53-4e35-a23d-7f65d5f0e446Disconnections should be logged for PostgreSQL database servers.This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e446
SQLeb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3Log duration should be enabled for PostgreSQL database serversThis policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists,Disabled)
none
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3