last sync: 2024-Nov-01 18:49:23 UTC

Changes on Azure Policy definitions

Category Id DisplayName Description Effect Roles used Subject Change Date (UTC ymd) (i) Type
Security Center f08f556c-12ff-464d-a7de-40cb5b6cccec Configure ChangeTracking Extension for Windows virtual machines Configure Windows virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, old suffix: preview (2.0.0-preview > 2.1.0) 2024-11-01 18:49:23 BuiltIn
ChangeTrackingAndInventory bef2d677-e829-492d-9a3d-f5a20fda818f Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux virtual machines to the specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor, old suffix: preview (1.0.0-preview > 1.1.0) 2024-11-01 18:49:23 BuiltIn
ChangeTrackingAndInventory ad1eeff9-20d7-4c82-a04e-903acab0bfc1 Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, old suffix: preview (1.1.0-preview > 1.2.0) 2024-11-01 18:49:23 BuiltIn
ChangeTrackingAndInventory b6faa975-0add-4f35-8d1c-70bba45c4424 Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows virtual machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor, old suffix: preview (1.0.0-preview > 1.1.0) 2024-11-01 18:49:23 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, old suffix: preview (1.5.0-preview > 1.6.0) 2024-11-01 18:49:23 BuiltIn
Security Center ec88097d-843f-4a92-8471-78016d337ba4 Configure ChangeTracking Extension for Linux virtual machines Configure Linux virtual machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, old suffix: preview (2.0.0-preview > 2.1.0) 2024-11-01 18:49:23 BuiltIn
ChangeTrackingAndInventory ef9fe2ce-a588-4edd-829c-6247069dcfdb Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Windows Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor, old suffix: preview (1.0.0-preview > 1.1.0) 2024-10-31 18:50:28 BuiltIn
ChangeTrackingAndInventory a7acfae7-9497-4a3f-a3b5-a16a50abbe2f Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, old suffix: preview (1.0.0-preview > 1.1.0) 2024-10-31 18:50:28 BuiltIn
Security Center 1e378679-f122-4a96-a739-a7729c46e1aa [Deprecated]: Cloud Services (extended support) role instances should have an endpoint protection solution installed Protect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-10-31 18:50:28 BuiltIn
Security Center 10caed8a-652c-4d1d-84e4-2805b7c07278 Configure ChangeTracking Extension for Linux Arc machines Configure Linux Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, old suffix: preview (2.0.0-preview > 2.1.0) 2024-10-31 18:50:28 BuiltIn
Security Center 8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2 [Deprecated]: Endpoint protection health issues should be resolved on your machines Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions. Endpoint protection assessment is documented here - https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-10-31 18:50:28 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.7.0 > 1.8.0) 2024-10-31 18:50:28 BuiltIn
Security Center 4bb303db-d051-4099-95d2-e3e1428a4cd5 Configure ChangeTracking Extension for Windows Arc machines Configure Windows Arc machines to automatically install the ChangeTracking Extension to enable File Integrity Monitoring(FIM) in Azure Security Center. FIM examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. The extension can be installed in virtual machines and locations supported by Azure Monitor Agent. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, old suffix: preview (2.0.0-preview > 2.1.0) 2024-10-31 18:50:28 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5187 Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for enabling ChangeTracking and Inventory. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor, old suffix: preview (1.3.0-preview > 1.4.0) 2024-10-31 18:50:28 BuiltIn
Security Center 1f7c564c-0a90-4d44-b7e1-9d456cffaee8 [Deprecated]: Endpoint protection should be installed on your machines To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-10-31 18:50:28 BuiltIn
ChangeTrackingAndInventory 09a1f130-7697-42bc-8d84-8a9ea17e5192 Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory Deploy Association to link Linux Arc-enabled machines to specified Data Collection Rule to enable ChangeTracking and Inventory. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor, old suffix: preview (1.0.0-preview > 1.1.0) 2024-10-31 18:50:28 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.8.0 > 1.9.0) 2024-10-31 18:50:28 BuiltIn
Security Center af6cd1bd-1635-48cb-bde7-5b15693900b9 [Deprecated]: Monitor missing Endpoint Protection in Azure Security Center Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-31 18:50:28 BuiltIn
Security Center 26a828e1-e88f-464e-bbb3-c134a282b9de [Deprecated]: Endpoint protection solution should be installed on virtual machine scale sets Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-31 18:50:28 BuiltIn
Compute ac34a73f-9fa5-4067-9247-a3ecae514468 Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Patch (2.1.0 > 2.1.1) 2024-10-30 18:57:40 BuiltIn
App Service 014664e7-e348-41a3-aeb9-566e4ff6a9df Configure App Service app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.1.0 > 1.2.0) 2024-10-25 17:51:35 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.3.0 > 9.4.0) 2024-10-25 17:51:35 BuiltIn
App Service fa3a6357-c6d6-4120-8429-855577ec0063 Configure Function app slots to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.1.0 > 1.2.0) 2024-10-25 17:51:35 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.3.0 > 9.4.0) 2024-10-25 17:51:35 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.3.0 > 9.4.0) 2024-10-25 17:51:35 BuiltIn
App Service 1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0 Configure Function apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.0.1 > 1.1.0) 2024-10-25 17:51:35 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.3.0 > 9.4.0) 2024-10-25 17:51:35 BuiltIn
App Service deb528de-8f89-4101-881c-595899253102 Function app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-10-25 17:51:35 BuiltIn
App Service f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.1 > 2.1.0) 2024-10-25 17:51:35 BuiltIn
App Service f9d614c5-c173-4d56-95a7-b4437057d193 Function apps should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.1 > 2.1.0) 2024-10-25 17:51:35 BuiltIn
App Service 4ee5b817-627a-435a-8932-116193268172 App Service app slots should use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-10-25 17:51:35 BuiltIn
App Service ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d Configure App Service apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
change
Minor (1.0.1 > 1.1.0) 2024-10-25 17:51:35 BuiltIn
PostgreSQL 1d14b021-1bae-4f93-b36b-69695e14984a Disconnections should be logged for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-10-21 17:52:17 BuiltIn
PostgreSQL a43d5475-c569-45ce-a268-28fa79f4e87a PostgreSQL flexible servers should be running TLS version 1.2 or newer This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-10-21 17:52:17 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-10-21 17:52:17 BuiltIn
Azure Update Manager bfea026e-043f-4ff4-9d1b-bf301ca7ff46 Configure periodic checking for missing system updates on azure Arc-enabled servers Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.2.1 > 2.3.0) 2024-10-15 17:53:32 BuiltIn
Guest Configuration e22a2f03-0534-4d10-8ea0-aa25a6113233 Configure SSH security posture for Linux (powered by OSConfig) This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-10-15 17:53:32 BuiltIn
Machine Learning 12e5dd16-d201-47ff-849b-8454061c293d [Preview]: Azure Machine Learning Deployments should only use approved Registry Models Restrict the deployment of Registry models to control externally created models used within your organization Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-10-15 17:53:32 BuiltIn
Guest Configuration a8f3e6a6-dcd2-434c-b0f7-6f309ce913b4 Audit SSH security posture for Linux (powered by OSConfig) This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-10-15 17:53:32 BuiltIn
SQL Deploy-SqlMi-minTLS SQL managed instances deploy a specific min TLS version requirement. Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Managed Instance Contributor
change
Minor (1.2.0 > 1.3.0) 2024-10-10 01:17:21 ALZ
SQL Deploy-MySQL-sslEnforcement Azure Database for MySQL server deploy a specific min TLS version and enforce SSL. Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2024-10-10 01:17:21 ALZ
SQL Deploy-SQL-minTLS SQL servers deploys a specific min TLS version requirement. Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
SQL Server Contributor
change
Minor (1.1.0 > 1.2.0) 2024-10-10 01:17:21 ALZ
Cache Append-Redis-sslEnforcement Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS. Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
Append
Allowed
Append, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
SQL Deny-SqlMi-minTLS SQL Managed Instance should have the minimal TLS version set to the highest version Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default
Audit
Allowed
Audit, Disabled, Deny
change
Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
Network Deny-VNET-Peer-Cross-Sub Deny vNet peering cross subscription. This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope. Default
Deny
Allowed
Audit, Deny, Disabled
change
Minor (1.0.1 > 1.1.0) 2024-10-10 01:17:21 ALZ
Networking Deploy-Private-DNS-Generic Deploy-Private-DNS-Generic Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
change
Major (1.0.0 > 2.0.0) 2024-10-10 01:17:21 ALZ
Storage Deploy-Storage-sslEnforcement Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Storage Account Contributor
change
Minor (1.2.0 > 1.3.0) 2024-10-10 01:17:21 ALZ
Cache Deny-Redis-http Azure Cache for Redis only secure connections should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default
Deny
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
SQL Deny-Sql-minTLS Azure SQL Database should have the minimal TLS version set to the highest version Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities. Default
Audit
Allowed
Audit, Disabled, Deny
change
Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
SQL Deploy-PostgreSQL-sslEnforcement Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.1.0 > 1.2.0) 2024-10-10 01:17:21 ALZ
App Service Append-AppService-latestTLS AppService append sites with minimum TLS version to enforce. Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny. Default
Append
Allowed
Append, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-10-10 01:17:21 ALZ
SQL Deny-MySql-http MySQL database servers enforce SSL connections. Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. Default
Deny
Allowed
Audit, Disabled, Deny
change
Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
Event Hub Deny-EH-minTLS Event Hub namespaces should use a valid TLS version Event Hub namespaces should use a valid TLS version. Default
Deny
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-10-10 01:17:21 ALZ
Security Center 123a3936-f020-408a-ba0c-47873faf1534 [Deprecated]: Allowlist rules in your adaptive application control policy should be updated Monitor changes in behavior on machines audited by Azure Security Center's adaptive application controls. Security Center uses machine learning to suggest known-safe applications as recommended apps. This policy is deprecated due to the deprecation of the Azure Monitoring agent. Learn more at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center 475aae12-b88a-4572-8b36-9b712b2b3a17 [Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription Azure Security Center collects VM data using the Log Analytics agent for security monitoring. Enable auto provisioning for automatic deployment. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center 86b3d65f-7626-441e-b690-81a8b71cff60 [Deprecated]: System updates should be installed on your machines Missing security system updates on your servers will be monitored by Azure Security Center as recommendations Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (4.0.0 > 4.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
App Configuration d242c24b-bac7-439e-8af7-22d7dcfd3c4f App Configuration should use geo-replication Use the geo-replication feature to create replicas in other locations of your current configuration store for enhanced resiliency and availability. Additionally, having multi-region replicas lets you better distribute load, lower latency, protect against datacenter outages, and compartmentalize globally distributed workloads. Learn more at: https://aka.ms/appconfig/geo-replication. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-10-07 17:51:17 BuiltIn
Security Center 3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4 [Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks, This policy is deprecated because it depends on the Azure Monitoring agent, which has also been deprecated. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Container Apps d074ddf8-01a5-4b5e-a2b8-964aed452c0a Container Apps environment should disable public network access Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.1 > 1.1.0) 2024-10-07 17:51:17 BuiltIn
Security Center 08e6af2d-db70-460a-bfe9-d5bd474ba9d6 [Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines Azure Security Center recommends NSG rules for Internet-facing VMs. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center c3f317a7-a95c-4547-b7e7-11017ebdf2fe [Deprecated]: System updates on virtual machine scale sets should be installed Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center 47a6b606-51aa-4496-8bb7-64b11cf66adc [Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines Enable application controls to define safe applications and get alerts for others, enhancing security. This policy is deprecated due to the Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Security Center e8cbc669-f12d-49eb-93e7-9273119e9933 [Deprecated]: Vulnerabilities in container security configurations should be remediated Audit Docker security vulnerabilities and display recommendations in Azure Security Center. This policy is deprecated due to Azure Monitoring agent deprecation. Learn more at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (3.0.0 > 3.1.0-deprecated) 2024-10-07 17:51:17 BuiltIn
Cache 1b1df1e6-d60f-4430-9390-2b0c83aae4a7 Configure Azure Cache for Redis Enterprise with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2024-09-27 17:51:42 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.2.0 > 2.3.0) 2024-09-24 17:50:47 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview) 2024-09-24 17:50:47 BuiltIn
Machine Learning ba769a63-b8cc-4b2d-abf6-ac33c7204be8 Azure Machine Learning workspaces should be encrypted with a customer-managed key Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.3 > 1.1.0) 2024-09-18 17:50:24 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.0 > 1.4.0) 2024-09-10 17:48:30 BuiltIn
Health Deidentification Service d9b2d63d-a233-4123-847a-7f7e5f5d7e7a Azure Health Data Services de-identification service should use private link Azure Health Data Services de-identification service should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-09-10 17:48:30 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.6.0 > 1.7.0) 2024-09-10 17:48:30 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.6.0 > 1.7.0) 2024-09-10 17:48:30 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.4.0 > 1.5.0) 2024-09-10 17:48:30 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.4.0 > 1.5.0) 2024-09-10 17:48:30 BuiltIn
Health Deidentification Service c5f34731-7ab9-42ff-922d-ef4920068b74 Azure Health Data Services de-identification service should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-09-10 17:48:30 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
Minor, suffix remains equal (7.2.0-preview > 7.3.0-preview) 2024-09-10 17:48:30 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.7.0 > 1.8.0) 2024-09-10 17:48:30 BuiltIn
Security Center 359a48a3-351a-4618-bb32-f1628645694b Configure Microsoft Defender threat protection for AI workloads New capabilities are continuously being added to threat protection for AI workloads, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-09-02 17:49:45 BuiltIn
Kubernetes e1352e44-d34d-4e4d-a22e-451a15f759a1 Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: https://aka.ms/aks/planned-maintenance Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.0.0 > 1.1.0) 2024-09-02 17:49:45 BuiltIn
Kubernetes fed6510d-00b9-40db-a347-933125a6a327 [Preview]: Prevents init containers from being ran as root by setting runAsNotRoot to true. Setting runAsNotRoot to true increases security by preventing containers from being ran as root. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-08-26 18:17:33 BuiltIn
Kubernetes 2fe7ba7d-f670-41f5-8b70-b61dc7dfbe18 [Preview]: Prevents containers from being ran as root by setting runAsNotRoot to true. Setting runAsNotRoot to true increases security by preventing containers from being ran as root. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-08-26 18:17:33 BuiltIn
Cache 1b1df1e6-d60f-4430-9390-2b0c83aae4a7 Configure Azure Cache for Redis Enterprise with private endpoints Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2024-08-20 18:21:51 BuiltIn
Cache 09aa11bb-87ec-409f-bf0b-49b7c1561a87 Azure Cache for Redis Enterprise should use customer-managed keys for encrypting disk data Use customer-managed keys (CMK) to manage the encryption at rest of your on-disk data. By default, customer data is encrypted with platform-managed keys (PMK), but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/RedisCMK. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-08-20 18:21:51 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
Minor (4.2.0 > 4.3.0) 2024-08-20 18:21:51 BuiltIn
Cache 7473e756-98d9-4d10-9a22-8101ef32cd74 Configure Azure Cache for Redis Enterprise to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis Enterprise. Learn more at: https://aka.ms/privatednszone. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2024-08-20 18:21:51 BuiltIn
Kubernetes 708b60a6-d253-4fe0-9114-4be4c00f012c [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
Minor, suffix remains equal (7.1.0-preview > 7.2.0-preview) 2024-08-20 18:21:51 BuiltIn
Cache 960e650e-9ce3-4316-9590-8ee2c016ca2f Azure Cache for Redis Enterprise should use private link Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-08-20 18:21:51 BuiltIn
Regulatory Compliance 9e1a2a94-cf7e-47de-b28e-d445ecc63902 Set file integrity rules in your organization CMA_M1000 - Set file integrity rules in your organization Default
Manual
Allowed
Manual, Disabled
add
new Policy 2024-08-20 18:21:51 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (4.4.0 > 4.4.1) 2024-08-20 18:21:51 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (3.3.0 > 3.3.1) 2024-08-20 18:21:51 BuiltIn
Security Center f85bf3e0-d513-442e-89c3-1784ad63382b System updates should be installed on your machines (powered by Update Center) Your machines are missing system, security, and critical updates. Software updates often include critical patches to security holes. Such holes are frequently exploited in malware attacks so it's vital to keep your software updated. To install all outstanding patches and secure your machines, follow the remediation steps. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-08-20 18:21:51 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (2.2.0 > 2.2.1) 2024-08-20 18:21:51 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (3.3.0 > 3.3.1) 2024-08-20 18:21:51 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (4.4.0 > 4.4.1) 2024-08-20 18:21:51 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (6.5.0 > 6.5.1) 2024-08-20 18:21:51 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (2.2.0 > 2.2.1) 2024-08-20 18:21:51 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Patch (4.5.0 > 4.5.1) 2024-08-20 18:21:51 BuiltIn
Kubernetes 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes cluster pods should only use allowed volume types Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.1.1 > 5.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes df49d893-a74c-421d-bc95-c663042e5b80 Kubernetes cluster containers should run with a read only root file system Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.2.0 > 6.3.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.2.0 > 9.3.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 9f061a12-e40d-4183-a00e-171812443373 Kubernetes clusters should not use the default namespace Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (4.1.0 > 4.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 021f8078-41a0-40e6-81b6-c6597da9f3ee [Preview]: Kubernetes cluster container images should not include latest image tag Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes clusters should not allow container privilege escalation Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.1.0 > 7.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes a3dc4946-dba6-43e6-950d-f96532848c9f Kubernetes clusters should ensure that the cluster-admin role is only used where required The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed. Default
Audit
Allowed
Audit, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes cluster containers should only use allowed AppArmor profiles Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.1.1 > 6.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes cluster containers should only use allowed ProcMountType Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.1.1 > 8.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 1a3b9003-eac6-4d39-a184-4a567ace7645 [Preview]: Kubernetes cluster container images must include the preStop hook Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.2.0 > 2.3.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes a2abc456-f0ae-464b-bd3a-07a3cdbd7fb1 Kubernetes cluster Windows containers should not overcommit cpu and memory Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.1.0 > 2.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 50c83470-d2f0-4dda-a716-1938a4825f62 Kubernetes cluster containers should only use allowed pull policy Restrict containers' pull policy to enforce containers to use only allowed images on deployments Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes cluster containers should only use allowed seccomp profiles Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.1.1 > 7.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes ca8d5704-aa2b-40cf-b110-dc19052825ad Kubernetes clusters should minimize wildcard use in role and cluster role Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster. Default
Audit
Allowed
Audit, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes cluster pod hostPath volumes should only use allowed host paths Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.1.1 > 6.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes cluster pods and containers should only run with approved user and group IDs Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.1.1 > 6.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 57dde185-5c62-4063-b965-afbb201e9c1c Kubernetes cluster Windows containers should only run with approved user and domain user group Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.1.0 > 2.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8 [Preview]: Sets Privilege escalation in the Pod spec in init containers to false. Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes cluster pods should only use approved host network and port range Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.1.0 > 6.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes e24df237-32cb-4a6c-a2f6-85b499cda9f2 [Preview]: Prints a message if a mutation is applied Looks up the mutation annotations applied and prints a message if annotation exists. Default
Audit
Allowed
Audit, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes c812272d-7488-495f-a505-047d34b83f58 [Preview]: Mutate K8s Init Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes cluster should not use naked pods Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.1.0 > 2.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d Kubernetes clusters should be accessible only over HTTPS Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.1.0 > 8.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 6f87d474-38a9-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes c873b3ba-c605-42e4-a64b-a142a93826fc [Preview]: Mutate K8s Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes cluster should not allow privileged containers Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.1.0 > 9.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes cluster pods and containers should only use allowed SELinux options Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.1.1 > 7.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes cluster containers should only use allowed images Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (9.2.0 > 9.3.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 6bcd4321-fb89-4e3e-bf6c-999c13d47f43 [Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes a27c700f-8a22-44ec-961c-41625264370b Kubernetes clusters should not use specific security capabilities Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.1.0 > 5.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 5485eac0-7e8f-4964-998b-a44f4f0c1e75 Kubernetes cluster Windows containers should not run as ContainerAdministrator Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 56d0a13f-712f-466b-8416-56fb354fb823 Kubernetes cluster containers should not use forbidden sysctl interfaces Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.1.1 > 7.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes d77df159-718b-4aca-b94b-8e8890a98231 [Preview]: Sets Privilege escalation in the Pod spec to false. Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes cluster containers should not share host process ID or host IPC namespace Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.1.0 > 5.2.0) 2024-08-09 18:17:47 BuiltIn
Network fe8a9af4-a003-4c7d-b7a4-b9808310c4f8 Public IPs and Public IP prefixes should have FirstPartyUsage tag Ensure all Public IP addresses and Public IP Prefixes have a FirstPartyUsage tag. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-08-09 18:17:47 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 1ddac26b-ed48-4c30-8cc5-3a68c79b8001 Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 077f0ce1-86d6-4058-bc60-de05067e8622 Kubernetes cluster Windows pods should not run HostProcess containers Prevent prviledged access to the windows node. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-08-09 18:17:47 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes b81f454c-eebb-4e4f-9dfe-dca060e8a8fd [Preview]: Kubernetes clusters should restrict creation of given resource type Given Kubernetes resource type should not be deployed in certain namespace. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (2.2.0-preview > 2.3.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 423dd1ba-798e-40e4-9c4d-b6902674b423 Kubernetes clusters should disable automounting API credentials Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (4.1.0 > 4.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes f4a8fce0-2dd5-4c21-9a36-8f0ec809d663 Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.1.1 > 5.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes b1a9997f-2883-4f12-bdff-2280f99b5915 Ensure cluster containers have readiness or liveness probes configured This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.2.0 > 3.3.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 233a2a17-77ca-4fb1-9b6b-69223d272a44 Kubernetes cluster services should listen only on allowed ports Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.1.0 > 8.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes cf426bb8-b320-4321-8545-1b784a5df3a4 [Image Integrity] Kubernetes clusters should only use images signed by notation Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity Default
Audit
Allowed
Audit, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes d46c275d-1680-448d-b2ec-e495a3b6cc89 Kubernetes cluster services should only use allowed external IPs Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (5.1.0 > 5.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes clusters should use internal load balancers Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (8.1.0 > 8.2.0) 2024-08-09 18:17:47 BuiltIn
Azure Load Testing d855fd7a-9be5-4d84-8b75-28d41aadc158 [Preview]: Load tests using Azure Load Testing should be run only against private endpoints from within a virtual network. Azure Load Testing engine instances should use virtual network injection for the following purposes: 1. Isolate Azure Load Testing engines to a virtual network. 2. Enable Azure Load Testing engines to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Load Testing engines. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-08-09 18:17:47 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 57f274ef-580a-4ed2-bcf8-5c6fa3775253 [Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false. Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview) 2024-08-09 18:17:47 BuiltIn
Kubernetes 9a5f4e39-e427-4d5d-ae73-93db00328bec Kubernetes resources should have required annotations Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes 46592696-4c7b-4bf3-9e45-6c2763bdc0a6 Kubernetes cluster pods should use specified labels Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (7.1.0 > 7.2.0) 2024-08-09 18:17:47 BuiltIn
Kubernetes c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes cluster containers should only use allowed capabilities Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
change
Minor (6.1.0 > 6.2.0) 2024-08-09 18:17:47 BuiltIn
Cache 3827af20-8f80-4b15-8300-6db0873ec901 Azure Cache for Redis should not use access keys for authentication Not using local authentication methods like access keys and using more secure alternatives like Microsoft Entra ID (recommended) improves security for your Azure Cache for Redis. Learn more at aka.ms/redis/disableAccessKeyAuthentication Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-08-05 18:24:24 BuiltIn
Security Center 7e92882a-2f8a-4991-9bc4-d3147d40abb0 Enable threat protection for AI workloads Microsoft threat protection for AI workloads provides contextualized, evidence-based security alerts aimed at protecting home grown Generative AI powered applications Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
add
new Policy 2024-08-05 18:24:24 BuiltIn
Cognitive Services 67121cc7-ff39-4ab8-b7e3-95b84dab487d Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK) Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements. This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.1.0 > 2.2.0) 2024-08-05 18:24:24 BuiltIn
Monitoring 89ca9cc7-25cd-4d53-97ba-445ca7a1f222 Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.2.2 > 1.3.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Deploy Dependency agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed
deployIfNotExists
count: 001
Virtual Machine Contributor
change
Minor (5.0.0 > 5.1.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.2.0 > 3.3.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 1c210e94-a481-4beb-95fa-1571b434fb04 Deploy - Configure Dependency agent to be enabled on Windows virtual machines Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (3.1.0 > 3.2.0) 2024-07-30 18:18:24 BuiltIn
Security Center 3bc8a0d5-38e0-4a3d-a657-2cb64468fc34 Azure Defender for SQL should be enabled for unprotected MySQL flexible servers Audit MySQL flexible servers without Advanced Data Security Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-07-30 18:18:24 BuiltIn
Monitoring af0082fd-fa58-4349-b916-b0e47abb0935 Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.2.2 > 1.3.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 4da21710-ce6f-4e06-8cdb-5cc4c93ffbee Deploy Dependency agent for Linux virtual machines Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed
deployIfNotExists
count: 001
Log Analytics Contributor
change
Minor (5.0.0 > 5.1.0) 2024-07-30 18:18:24 BuiltIn
PostgreSQL 12c74c95-0efd-48da-b8d9-2a7d68470c92 PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 84cfed75-dfd4-421b-93df-725b479d356a Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.1.2 > 1.2.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.5.0 > 3.6.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.1 > 3.2.0) 2024-07-30 18:18:24 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.5.0 > 3.6.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.3.0 > 4.4.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4 Configure Dependency agent on Azure Arc enabled Windows servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (2.0.0 > 2.1.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.7.0 > 3.8.0) 2024-07-30 18:18:24 BuiltIn
Network 7bca8353-aa3b-429b-904a-9229c4385837 Subnets should be private Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-30 18:18:24 BuiltIn
Monitoring 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.1.0 > 3.2.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.3.0 > 4.4.0) 2024-07-30 18:18:24 BuiltIn
Monitoring d55b81e1-984f-4a96-acab-fae204e3ca7f Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (3.1.1 > 3.2.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.2.0 > 3.3.0) 2024-07-30 18:18:24 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.7.0 > 3.8.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (6.4.0 > 6.5.0) 2024-07-30 18:18:24 BuiltIn
Monitoring deacecc0-9f84-44d2-bb82-46f32d766d43 Configure Dependency agent on Azure Arc enabled Linux servers Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (2.0.0 > 2.1.0) 2024-07-30 18:18:24 BuiltIn
Monitoring 08a4470f-b26d-428d-97f4-7e3e9c92b366 Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.1.2 > 1.2.0) 2024-07-30 18:18:24 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (1.3.0 > 1.4.0) 2024-07-17 18:20:29 BuiltIn
Azure Ai Services d6759c02-b87f-42b7-892e-71b3f471d782 Azure AI Services resources should use Azure Private Link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://aka.ms/AzurePrivateLink/Overview Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-07-17 18:20:29 BuiltIn
Cognitive Services cddd188c-4b82-4c48-a19d-ddf74ee66a01 [Deprecated]: Cognitive Services should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default
Audit
Allowed
Audit, Disabled
change
Patch, new suffix: deprecated (3.0.0 > 3.0.1-deprecated) 2024-07-17 18:20:29 BuiltIn
Search 0fda3595-9f2b-4592-8675-4231d6fa82fe [Deprecated]: Azure Cognitive Search services should use private link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default
Audit
Allowed
Audit, Disabled
change
Patch, new suffix: deprecated (1.0.0 > 1.0.1-deprecated) 2024-07-17 18:20:29 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.5.0 > 1.6.0) 2024-07-17 18:20:29 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.5.0 > 1.6.0) 2024-07-17 18:20:29 BuiltIn
Kubernetes c873b3ba-c605-42e4-a64b-a142a93826fc [Preview]: Mutate K8s Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux containers Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-15 18:22:44 BuiltIn
Kubernetes c812272d-7488-495f-a505-047d34b83f58 [Preview]: Mutate K8s Init Container to drop all capabilities Mutates securityContext.capabilities.drop to add in "ALL". This drops all capabilities for k8s linux init containers Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-15 18:22:44 BuiltIn
Compute 7c1b1214-f927-48bf-8882-84f0af6588b1 [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policy with policy ID a3a6ea0c-e018-4933-9ef0-5aaa1501449b. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Kubernetes 57f274ef-580a-4ed2-bcf8-5c6fa3775253 [Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false. Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Guest Configuration 4078e558-bda6-41fb-9b3c-361e8875200d [Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (2.0.0 > 2.1.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Network 72923a3a-e567-46d3-b3f9-ffb2462a1c3a Virtual Hubs should be protected with Azure Firewall Deploy an Azure Firewall to your Virtual Hubs to protect and granularly control internet egress and ingress traffic. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network 7c591a93-c34c-464c-94ac-8f9f9a46e3d6 Azure Firewall Standard - Classic Rules should enable Threat Intelligence Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Security Center a3a6ea0c-e018-4933-9ef0-5aaa1501449b [Deprecated]: Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Guest Configuration 1e7fed80-8321-4605-b42c-65fc300f23a3 [Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.1.0 > 1.2.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Kubernetes 6f87d474-38a9-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Security Center a4fe33eb-e377-4efb-ab31-0784311bc499 [Deprecated]: Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-07-09 18:20:14 BuiltIn
Network 3f84c9b0-8b64-4208-98d4-6ada96bb49c3 Azure Firewall Policy should have DNS Proxy Enabled Enabling DNS Proxy will make the Azure Firewall associated with this policy to listen on port 53 and forward the DNS requests to specified DNS server Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network 8c19196d-7fd7-45b2-a9b4-7288f47c769a Azure Firewall Standard should be upgraded to Premium for next generation protection If you are looking for next generation protection like IDPS and TLS inspection, you should consider upgrading your Azure Firewall to Premium sku. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network 3e1f521a-d037-4709-bdd6-1f532f271a75 Azure Firewall should be deployed to span multiple Availability Zones For increased availability we recommend deploying your Azure Firewall to span multiple Availability Zones. This ensures that your Azure Firewall will remain available in the event of a zone failure. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network 794d77cc-fe65-4801-8514-230c0be387a8 Azure Firewall Classic Rules should be migrated to Firewall Policy Migrate from Azure Firewall Classic Rules to Firewall Policy to utilize central management tools such as Azure Firewall Manager. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes 97de439f-fd35-4d43-a693-3644f51a51fd [Preview]: Sets Kubernetes cluster init containers securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes a8e3ce3c-cac3-4402-a28a-03ee3ede9790 [Preview]: Sets Kubernetes cluster container securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes 4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8 [Preview]: Sets Privilege escalation in the Pod spec in init containers to false. Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network dfb5ac92-ce74-4dbc-81fa-87243e62d5d3 Azure Firewall Policy Analytics should be Enabled Enabling Policy Analytics provides enhanced visibility into traffic flowing through Azure Firewall, enabling the optimization of your firewall configuration without impacting your application performance Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes fe74a23d-79e4-401c-bd0d-fd7a5b35af32 [Preview]: Sets Kubernetes cluster Pod securityContext.runAsUser fields to 1000, a non-root user id Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Network da79a7e2-8aa1-45ed-af81-ba050c153564 Azure Firewall Policy should enable Threat Intelligence Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes e24df237-32cb-4a6c-a2f6-85b499cda9f2 [Preview]: Prints a message if a mutation is applied Looks up the mutation annotations applied and prints a message if annotation exists. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes 6bcd4321-fb89-4e3e-bf6c-999c13d47f43 [Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present. Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Kubernetes d77df159-718b-4aca-b94b-8e8890a98231 [Preview]: Sets Privilege escalation in the Pod spec to false. Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-07-09 18:20:14 BuiltIn
Security Center ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Role-Based Access Control (RBAC) should be used on Kubernetes Services To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.3 > 1.0.4) 2024-07-09 18:20:14 BuiltIn
Managed Grafana bc33de80-97cd-4c11-b6b4-d075e03c7d60 Configure Azure Managed Grafana workspaces with private endpoints Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Managed Grafana, you can reduce data leakage risks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.0.0 > 1.0.1) 2024-06-28 18:15:04 BuiltIn
Managed Grafana 3a97e513-f75e-4230-8137-1efad4eadbbc Azure Managed Grafana workspaces should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Managed Grafana, you can reduce data leakage risks. Default
Audit
Allowed
Audit, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-06-28 18:15:04 BuiltIn
Managed Grafana 0656cf40-485c-427b-b992-703a4ecf4f88 Azure Managed Grafana workspaces should disable service account Disables API keys and service account for automated workloads in Grafana workspace. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-28 18:15:04 BuiltIn
Managed Grafana a08f2347-fe9c-482b-a944-f6a0e05124c0 Azure Managed Grafana workspaces should disable Grafana Enterprise upgrade Disables Grafana Enterprise upgrade in Grafana workspace. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-28 18:15:04 BuiltIn
Managed Grafana b6752a42-6fc3-46cb-8a15-33aa109407b1 Azure Managed Grafana workspaces should disable email settings Disables SMTP settings configuration of email contact point for alerting in Grafana workspace. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-28 18:15:04 BuiltIn
Kubernetes 28257686-e9db-403e-b9e2-a5eecbe03da9 Azure Kubernetes Clusters should disable SSH Disable SSH gives you the ability to secure your cluster and reduce the attack surface. To learn more, visit: aka.ms/aks/disablessh Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-06-24 18:15:26 BuiltIn
Network 610b6183-5f00-4d68-86d2-4ab4cb3a67a5 [Deprecated]: Firewall Policy Premium should enable all IDPS signature rules to monitor all inbound and outbound traffic flows This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network 632d3993-e2c0-44ea-a7db-2eca131f356d [Deprecated]: Web Application Firewall (WAF) should enable all firewall rules for Application Gateway This policy is deprecated because sometimes it is impractical to enable all WAF rules. Instead of continuing to use this policy, we recommend you instead assign this replacement policy with policy ID 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.1 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
PostgreSQL 78ed47da-513e-41e9-a088-e829b373281d Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace Deploys the diagnostic settings for PostgreSQL flexible servers to stream to a regional Log Analytics workspace when any PostgreSQL flexible servers which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
add
new Policy 2024-06-14 18:20:16 BuiltIn
Network f516dc7a-4543-4d40-aad6-98f76a706b50 [Deprecated]: Bypass list of Intrusion Detection and Prevention System (IDPS) should be empty in Firewall Policy Premium This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Guest Configuration d96163de-dbe0-45ac-b803-0e9ca0f5764e Windows machines should configure Windows Defender to update protection signatures within one day To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy is not applied to Arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-06-14 18:20:16 BuiltIn
Guest Configuration 2454bbee-dc19-442f-83fc-7f3114cafd91 [Deprecated]: Windows machines should use the default NTP server This policy is deprecated because Microsoft 365 App Compliance Program no longer checks the default NTP server on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Guest Configuration b3248a42-b1c1-41a4-87bc-8bad3d845589 Windows machines should enable Windows Defender Real-time protection Windows machines should enable the Real-time protection in the Windows Defender to provide adequate protection against newly released malware. This policy is not applicable to arc connected servers and it requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch (1.0.0 > 1.0.1) 2024-06-14 18:20:16 BuiltIn
Guest Configuration 3810e389-1d92-4f77-9267-33bdcf0bd225 [Deprecated]: Windows machines should schedule Windows Defender to perform a scheduled scan every day This policy is deprecated because Microsoft 365 App Compliance Program no longer checks schedule frequency on Windows machines. Learn more details about the latest M365 APP Compliance requirements at aka.ms/acat-cert2-seg-ops. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.2.0 > 1.3.0-deprecated) 2024-06-14 18:20:16 BuiltIn
SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP based firewall rules. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.0.1 > 3.1.0) 2024-06-14 18:20:16 BuiltIn
PostgreSQL ce39a96d-bf09-4b60-8c32-e85d52abea0f A Microsoft Entra administrator should be provisioned for PostgreSQL flexible servers Audit provisioning of a Microsoft Entra administrator for your PostgreSQL flexible server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-06-14 18:20:16 BuiltIn
Network 6484db87-a62d-4327-9f07-80a2cbdf333a [Deprecated]: Firewall Policy Premium should enable the Intrusion Detection and Prevention System (IDPS) This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network f2c2d0a6-e183-4fc8-bd8f-363c65d3bbbf [Deprecated]: Subscription should configure the Azure Firewall Premium to provide additional layer of protection This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
Network a58ac66d-92cb-409c-94b8-8e48d7a96596 [Deprecated]: Azure firewall policy should enable TLS inspection within application rules This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
PostgreSQL 12c74c95-0efd-48da-b8d9-2a7d68470c92 PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your PostgreSQL flexible servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-14 18:20:16 BuiltIn
Network 711c24bb-7f18-4578-b192-81a6161e1f17 [Deprecated]: Azure Firewall Premium should configure a valid intermediate certificate to enable TLS inspection This policy is deprecated because Microsoft 365 App Compliance Program no longer requires Azure Firewall premium as the only network security control solution. Learn more details about the latest M365 APP Compliance requirements about network security controls at aka.ms/acat-cert2-seg-ops-nsc. Learn more about policy definition deprecation at aka.ms/policydefdeprecation. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (1.0.0 > 1.1.0-deprecated) 2024-06-14 18:20:16 BuiltIn
PostgreSQL 4eb5e667-e871-4292-9c5d-8bbb94e0c908 Auditing with PgAudit should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment which is not enabled to use pgaudit. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-06-14 18:20:16 BuiltIn
PostgreSQL a43d5475-c569-45ce-a268-28fa79f4e87a PostgreSQL flexible servers should be running TLS version 1.2 or newer This policy helps audit any PostgreSQL flexible servers in your environment which is running with TLS version less than 1.2. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-06-14 18:20:16 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.6.0 > 1.7.0) 2024-06-10 18:18:08 BuiltIn
Kubernetes 64def556-fbad-4622-930e-72d1d5589bf5 Configure Azure Kubernetes Service clusters to enable Defender profile Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Defender Kubernetes Agent Operator
Kubernetes Agent Operator
change
Minor (4.1.0 > 4.2.0) 2024-06-10 18:18:08 BuiltIn
Security Center Deploy-ASC-SecurityContacts Deploy Microsoft Defender for Cloud Security Contacts Deploy Microsoft Defender for Cloud Security Contacts Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Security Admin
change
Major (1.1.0 > 2.0.0) 2024-06-10 18:18:08 ALZ
DevOpsInfrastructure 0d6d79a8-8406-4e87-814d-2dcd83b2c355 [Preview]: Microsoft Managed DevOps Pools should be provided with valid subnet resource in order to configure with own virtual network. Disallows creating Pool resources if a valid subnet resource is not provided. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-10 18:18:08 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.5.0 > 1.6.0) 2024-06-10 18:18:08 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-06-10 18:18:08 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.6.0 > 1.7.0) 2024-06-10 18:18:08 BuiltIn
General DenyAction-DeleteResources Do not allow deletion of specified resource and resource type This policy enables you to specify the resource and resource type that your organization can protect from accidentals deletion by blocking delete calls using the deny action effect. Default
DenyAction
Allowed
DenyAction, Disabled
add
new Policy 2024-06-06 18:16:12 ALZ
Monitoring Deploy-Diagnostics-EventGridSystemTopic [Deprecated]: Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-LocalUser Local users should be restricted for Storage Accounts Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ResourceAccessRulesTenantId Resource Access Rules Tenants should be restricted for Storage Accounts Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-MlWorkspace [Deprecated]: Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Network Audit-PrivateLinkDnsZones Audit or Deny the creation of Private Link Private DNS Zones This policy audits or denies, depending on assignment effect, the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch (1.0.1 > 1.0.2) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-SQLMI [Deprecated]: Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-TrafficManager [Deprecated]: Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Relay [Deprecated]: Deploy Diagnostic Settings for Relay to Log Analytics workspace Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ApplicationGateway [Deprecated]: Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ApiForFHIR [Deprecated]: Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-APIMgmt [Deprecated]: Deploy Diagnostic Settings for API Management to Log Analytics workspace Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-HDInsight [Deprecated]: Deploy Diagnostic Settings for HDInsight to Log Analytics workspace Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-DataFactory [Deprecated]: Deploy Diagnostic Settings for Data Factory to Log Analytics workspace Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Guest Configuration e22a2f03-0534-4d10-8ea0-aa25a6113233 Configure SSH security posture for Linux (powered by OSConfig) This policy audits and configures SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Guest Configuration Resource Contributor
add
new Policy 2024-06-03 17:39:43 BuiltIn
Logic Apps Deploy-LogicApp-TLS Configure Logic apps to use the latest TLS version Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Website Contributor
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Bastion [Deprecated]: Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Network Deny-AzFw-Without-Policy Azure Firewall should have a default Firewall Policy This policy denies the creation of Azure Firewall without a default Firewall Policy. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-AVDScalingPlans [Deprecated]: Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-DLAnalytics [Deprecated]: Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Network Modify-UDR Enforce specific configuration of User-Defined Routes (UDR) This policy enforces the configuration of User-Defined Routes (UDR) within a subnet. Default
Modify
Allowed
Modify, Disabled
count: 001
Network Contributor
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-EventGridTopic [Deprecated]: Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Security Center 0961003e-5a0a-4549-abde-af6a37f2724d [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources This policy definition is no longer the recommended way to achieve its intent. Instead of continuing to use this policy, we recommend you assign this replacement policies with policy IDs 3dc5edcd-002d-444c-b216-e123bbfa37c0 and ca88aadc-6e2b-416c-9de2-5a0f01d1693f. Learn more about policy definition deprecation at aka.ms/policydefdeprecation Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (2.0.3 > 2.1.0-deprecated) 2024-06-03 17:39:43 BuiltIn
Network Deny-AppGw-Without-Tls Application Gateway should be deployed with predefined Microsoft policy that is using TLS version 1.2 This policy enables you to restrict that Application Gateways is always deployed with predefined Microsoft policy that is using TLS version 1.2 Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-PowerBIEmbedded [Deprecated]: Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Logic Apps Deny-LogicApps-Without-Https Logic app should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Logic Apps Deny-LogicApp-Public-Network Logic apps should disable public network access Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
App Service Deny-AppService-without-BYOC App Service certificates must be stored in Key Vault App Service (including Logic apps and Function apps) must use certificates stored in Key Vault Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WVDAppGroup [Deprecated]: Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-Arc-Sql-DefenderSQL-DCR [Deprecated]: Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (63d03cbd-47fd-4ee1-8a1c-9ddf07303de0) BuiltIn
2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VNetGW [Deprecated]: Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-RedisCache [Deprecated]: Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-CorsRules Storage Accounts should restrict CORS rules Deny CORS rules for storage account for increased data exfiltration protection and endpoint protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-SQLElasticPools [Deprecated]: Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Network Modify-NSG Enforce specific configuration of Network Security Groups (NSG) This policy enforces the configuration of Network Security Groups (NSG). Default
Modify
Allowed
Modify, Disabled
count: 001
Network Contributor
add
new Policy 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ServicesEncryption Encryption for storage services should be enforced for Storage Accounts Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Networking Deploy-Private-DNS-Generic Deploy-Private-DNS-Generic Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Network Contributor
add
new Policy 2024-06-03 17:39:43 ALZ
Cognitive Services Deny-CognitiveServices-Resource-Kinds Only explicit kinds for Cognitive Services should be allowed Azure Cognitive Services should only create explicit allowed kinds. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Cognitive Services Deny-CognitiveServices-RestrictOutboundNetworkAccess Outbound network access should be restricted for Cognitive Services Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-Arc-SQL-DCR-Association [Deprecated]: Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR (2227e1f1-23dd-4c3a-85a9-7024a401d8b2) BuiltIn
2024-06-03 17:39:43 ALZ
Storage Deny-Storage-minTLS [Deprecated] Storage Account set to minimum TLS and Secure transfer should be enabled Audit requirement of Secure transfer in your storage account. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/fe83a0eb-a853-422d-aac2-1bffd182c5d0.html and https://www.azadvertizer.net/azpolicyadvertizer/404c3081-a854-4457-ae30-26a93ef643f9.html Default
Deny
Allowed
Audit, Deny, Disabled
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Policy (fe83a0eb-a853-422d-aac2-1bffd182c5d0,404c3081-a854-4457-ae30-26a93ef643f9)
2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-TimeSeriesInsights [Deprecated]: Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-PostgreSQL [Deprecated]: Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Function [Deprecated]: Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-NIC [Deprecated]: Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-NetworkAclsBypass Network ACL bypass option should be restricted for Storage Accounts Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Network Deny-Service-Endpoints Deny or Audit service endpoints on subnets This Policy will deny/audit Service Endpoints on subnets. Service Endpoints allows the network traffic to bypass Network appliances, such as the Azure Firewall. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Website [Deprecated]: Deploy Diagnostic Settings for App Service to Log Analytics workspace Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Databricks [Deprecated]: Deploy Diagnostic Settings for Databricks to Log Analytics workspace Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated) 2024-06-03 17:39:43 ALZ
SQL fa498b91-8a7e-4710-9578-da944c68d1fe [Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure PostgreSQL flexible server can exclusively be accessed by Microsoft Entra identities. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-06-03 17:39:43 BuiltIn
Security Center Deploy-MDFC-SQL-DefenderSQL-DCR [Deprecated]: Configure SQL Virtual Machines to auto install Microsoft Defender for SQL and DCR with a user-defined LAW Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/04754ef9-9ae3-4477-bf17-86ef50026304.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, new suffix: deprecated (1.0.1 > 1.0.1-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace (04754ef9-9ae3-4477-bf17-86ef50026304) BuiltIn
2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-iotHub [Deprecated]: Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Event Hub Deny-EH-Premium-CMK Event Hub namespaces (Premium) should use a customer-managed key for encryption Event Hub namespaces (Premium) should use a customer-managed key for encryption. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-CognitiveServices [Deprecated]: Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-AnalysisService [Deprecated]: Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Cognitive Services Deny-CognitiveServices-NetworkAcls Network ACLs should be restricted for Cognitive Services Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VirtualNetwork [Deprecated]: Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-SQL-AMA [Deprecated]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/f91991d1-5383-4c95-8ee5-5ac423dd8bb1.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Azure Monitor Agent (f91991d1-5383-4c95-8ee5-5ac423dd8bb1) BuiltIn
2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ExpressRoute [Deprecated]: Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Event Hub Deny-EH-minTLS Event Hub namespaces should use a valid TLS version Event Hub namespaces should use a valid TLS version. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WebServerFarm [Deprecated]: Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
API Management Deny-APIM-TLS API Management services should use TLS version 1.2 Azure API Management service should use TLS version 1.2 Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-MediaService [Deprecated]: Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-CDNEndpoints [Deprecated]: Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ACR [Deprecated]: Deploy Diagnostic Settings for Container Registry to Log Analytics workspace Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-Firewall [Deprecated]: Deploy Diagnostic Settings for Firewall to Log Analytics workspace Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-LoadBalancer [Deprecated]: Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-ACI [Deprecated]: Deploy Diagnostic Settings for Container Instances to Log Analytics workspace Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VWanS2SVPNGW [Deprecated]: Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-CopyScope Allowed Copy scope should be restricted for Storage Accounts Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-FrontDoor [Deprecated]: Deploy Diagnostic Settings for Front Door to Log Analytics workspace Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WVDWorkspace [Deprecated]: Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.1 > 1.1.1-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VM [Deprecated]: Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-SignalR [Deprecated]: Deploy Diagnostic Settings for SignalR to Log Analytics workspace Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-AA [Deprecated]: Deploy Diagnostic Settings for Automation to Log Analytics workspace Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-DataExplorerCluster [Deprecated]: Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-NetworkAclsVirtualNetworkRules Virtual network rules should be restricted for Storage Accounts Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-MySQL [Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ResourceAccessRulesResourceId Resource Access Rules resource IDs should be restricted for Storage Accounts Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-EventGridSub [Deprecated]: Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Storage Deny-Storage-ContainerDeleteRetentionPolicy Storage Accounts should use a container delete retention policy Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection. Default
Deny
Allowed
Audit, Deny, Disabled
add
new Policy 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-WVDHostPools [Deprecated]: Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.3.0 > 1.3.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-NetworkSecurityGroups [Deprecated]: Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-CosmosDB [Deprecated]: Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.2.0 > 1.2.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-VMSS [Deprecated]: Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Managed Identity Deploy-UserAssignedManagedIdentity-VMInsights [Deprecated]: Deploy User Assigned Managed Identity for VM Insights Policy is deprecated as it's no longer required. User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated) 2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-LogAnalytics [Deprecated]: Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Security Center Deploy-MDFC-SQL-DefenderSQL [Deprecated]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Policy is deprecated as the built-in policy now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce.html Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)

Superseded by: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL (ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) BuiltIn
2024-06-03 17:39:43 ALZ
Monitoring Deploy-Diagnostics-LogicAppsISE [Deprecated]: Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Version remains equal, new suffix: deprecated (1.1.0 > 1.1.0-deprecated) 2024-06-03 17:39:43 ALZ
Cost Optimization Audit-PublicIpAddresses-UnusedResourcesCostOptimization Unused Public IP addresses driving cost should be avoided Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost. Default
Audit
Allowed
Audit, Disabled
change
Minor (1.0.0 > 1.1.0) 2024-06-03 17:39:43 ALZ
Azure Update Manager 9905ca54-1471-49c6-8291-7582c04cd4d4 [Preview]: Set prerequisite for Scheduling recurring updates on Azure virtual machines. This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-05-27 16:38:31 BuiltIn
PostgreSQL c29c38cb-74a7-4505-9a06-e588ab86620a Enforce SSL connection should be enabled for PostgreSQL flexible servers Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL flexible server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database flexible server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your PostgreSQL flexible server. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
Azure Update Manager ba0df93e-e4ac-479a-aac2-134bbae39a1a Schedule recurring updates using Azure Update Manager You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: https://aka.ms/umc-scheduled-patching Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (3.10.0 > 3.12.0) 2024-05-27 16:38:31 BuiltIn
PostgreSQL 5375a5bb-22c6-46d7-8a43-83417cfb4460 Private endpoint should be enabled for PostgreSQL flexible servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
Cosmos DB 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb Azure Cosmos DB accounts should have firewall rules Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default
Deny
Allowed
Audit, Deny, Disabled
change
Minor (2.0.0 > 2.1.0) 2024-05-27 16:38:31 BuiltIn
PostgreSQL 70be9e12-c935-49ac-9bd8-fd64b85c1f87 Log checkpoints should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_checkpoints setting enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL 1d14b021-1bae-4f93-b36b-69695e14984a Disconnections should be logged for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_disconnections enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL dacf07fa-0eea-4486-80bc-b93fae88ac40 Connection throttling should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL cee2f9fd-3968-44be-a863-bd62c9884423 Geo-redundant backup should be enabled for Azure Database for PostgreSQL flexible servers Azure Database for PostgreSQL flexible servers allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
PostgreSQL 086709ac-11b5-478d-a893-9567a16d2ae3 Log connections should be enabled for PostgreSQL flexible servers This policy helps audit any PostgreSQL flexible servers in your environment without log_connections setting enabled. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-27 16:38:31 BuiltIn
Cosmos DB 12339a85-a25c-4f17-9f82-4766f13f5c4c Azure Cosmos DB accounts should not allow traffic from all Azure data centers Disallow the IP Firewall rule, '0.0.0.0', which allows for all traffic from any Azure data centers. Learn more at https://aka.ms/cosmosdb-firewall Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-05-17 18:03:56 BuiltIn
ChangeTrackingAndInventory ad1eeff9-20d7-4c82-a04e-903acab0bfc1 Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-05-17 18:03:56 BuiltIn
ChangeTrackingAndInventory 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.4.0-preview > 1.5.0-preview) 2024-05-17 18:03:56 BuiltIn
ChangeTrackingAndInventory b73e81f3-6303-48ad-9822-b69fc00c15ef [Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.3.0-preview > 1.4.0-preview) 2024-05-17 18:03:56 BuiltIn
ChangeTrackingAndInventory 4485d24b-a9d3-4206-b691-1fad83bc5007 [Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for enabling ChangeTracking and Inventory. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-05-17 18:03:56 BuiltIn
Backup 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Guest Configuration a8f3e6a6-dcd2-434c-b0f7-6f309ce913b4 Audit SSH security posture for Linux (powered by OSConfig) This policy audits SSH server security configuration on Linux machines (Azure VMs and Arc-enabled machines). For more information including pre-requisites, settings in scope, defaults, and customization, see https://aka.ms/SshPostureControlOverview Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-05-13 17:44:58 BuiltIn
Backup 09ce66bc-1220-4153-8104-e3f51c936913 Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Security Center 2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR Configure association between Arc-enabled SQL Servers and the Microsoft Defender for SQL user-defined DCR. Deleting this association will break the detection of security vulnerabilities for this Arc-enabled SQL Servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.2.0 > 1.3.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.2.0 > 4.3.0) 2024-05-13 17:44:58 BuiltIn
Backup bdff5235-9f40-4a32-893f-38a03d5d607c [Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag. Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-05-13 17:44:58 BuiltIn
Backup 345fa903-145c-4fe1-8bcd-93ec2adccde8 Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.6.0 > 3.7.0) 2024-05-13 17:44:58 BuiltIn
Backup 9a021087-bba6-42fd-b535-bba75297566b [Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag. Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Owner
add
new Policy 2024-05-13 17:44:58 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.5.0 > 1.6.0) 2024-05-13 17:44:58 BuiltIn
Backup 6e68865f-f3cd-48ec-9bba-54795672eaa4 [Preview]: Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region Enforce backup for all Azure Disks (Managed Disks) that do not contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Backup Contributor
add
new Policy 2024-05-13 17:44:58 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.2.0 > 4.3.0) 2024-05-13 17:44:58 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.5.0 > 1.6.0) 2024-05-13 17:44:58 BuiltIn
Backup 83644c87-93dd-49fe-bf9f-6aff8fd0834e Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default
DeployIfNotExists
Allowed
auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled
count: 002
Backup Contributor
Virtual Machine Contributor
change
Minor (9.2.0 > 9.3.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.6.0 > 3.7.0) 2024-05-13 17:44:58 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.5.0 > 1.6.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (6.3.0 > 6.4.0) 2024-05-13 17:44:58 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (1.2.0 > 1.3.0) 2024-05-13 17:44:58 BuiltIn
Monitoring c84e5349-db6d-4769-805e-e14037dab9b5 Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.0.0 > 1.1.0) 2024-05-13 17:44:58 BuiltIn
Security Center f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.3.0 > 1.4.0) 2024-05-13 17:44:58 BuiltIn
Backup 7b5a3b1d-d2e1-4c0b-9f3b-ad0b9a2283f4 [Preview]: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region Enforce backup for all Azure Disks (Managed Disks) that contain a given tag to a central backup vault. Learn more at https://aka.ms/AB-DiskBackupAzPolicies Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Backup Contributor
add
new Policy 2024-05-13 17:44:58 BuiltIn
Security Center 6e2593d9-add6-4083-9c9b-4b7d2188c899 Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-05-13 17:44:58 BuiltIn
Security Center ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (1.3.0 > 1.4.0) 2024-05-13 17:44:58 BuiltIn
Monitoring 2e3285f9-ae82-4f69-b83f-5b6f1ee69f3a Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Playwright Testing (microsoft.azureplaywrightservice/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 944eae3e-6b16-4864-86e1-1b23d58386d5 Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 567c93f7-3661-494f-a30f-0a94d9bfebf8 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring dcb324b0-3bfa-4df4-b476-64122bde219e Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Scaling plans (microsoft.desktopvirtualization/scalingplans). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a853abad-dfa4-4bf5-aaa1-04cb10c02d23 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 71153be3-4742-4aae-9aec-150f7589311b Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5cfb9e8a-2f13-40bd-a527-c89bc596d299 Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/workspaces/onlineendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3234ff41-8bec-40a3-b5cb-109c95f1c8ce Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual networks (microsoft.network/virtualnetworks). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9cbc4c60-0db8-483c-999b-0f017a01a56b Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid System Topics (microsoft.eventgrid/systemtopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6b2899d8-5fdf-4ade-ba59-f1f82664877b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 454c7d4b-c141-43f1-8c81-975ebb15a9b5 Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Databricks Services (microsoft.databricks/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 28e2d787-b5f4-43cf-8cb7-11b54773d379 Enable logging by category group for microsoft.network/networkmanagers/ipampools to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networkmanagers/ipampools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4cabf9fc-4ed1-4990-bbaf-7248fb8751bc Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a12e0815-0735-48d9-b5b3-8a3b60a85b86 Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SCOPE pools (microsoft.synapse/workspaces/scopepools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0277b2d5-6e6f-4d97-9929-a5c4eab56fd7 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a142867f-3142-4ac6-b952-ab950a29fca5 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 92012204-a7e4-4a95-bbe5-90d0d3e12735 Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application gateways (microsoft.network/applicationgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 85779c9a-7fdf-4294-937c-ded183166fa8 Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container instances (microsoft.containerinstance/containergroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f873a711-0322-4744-8322-7e62950fbec2 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring eb2fea88-fa7b-4531-a4c1-428c618fbcc8 Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2cc39a57-5106-4d41-b872-55c2b9d7b729 Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP Prefixes (microsoft.network/publicipprefixes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 20a921eb-1c4b-4bb7-a78f-6653ad293dba Enable logging by category group for microsoft.network/networksecurityperimeters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networksecurityperimeters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e6421995-539a-4ce3-854b-1c88534396cf Enable logging by category group for microsoft.networkcloud/baremetalmachines to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/baremetalmachines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bfc6b185-2af1-4998-a32e-c0144792eeb2 Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Service Environments (microsoft.web/hostingenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c29fe1b2-c0b0-4d92-a988-84b484801707 Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network Managers (microsoft.network/networkmanagers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 415eaa04-e9db-476a-ba43-092d70ebe1e7 Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bot Services (microsoft.botservice/botservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring be9259e2-a221-4411-84fd-dd22c6691653 Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a271e156-b295-4537-b01d-09675d9e7851 Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ed251afd-72b1-4e41-b6c9-6614420f1207 Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Shares (microsoft.datashare/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 96abcdc6-3c5a-4b0f-b031-9a4c1f36c9a6 Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Synapse Analytics (microsoft.synapse/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a7c668bd-3327-474f-8fb5-8146e3e40e40 Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Host pools (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4d46b9c1-0a86-41bf-aaf2-74d0ebf8ce66 Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.cdn/cdnwebapplicationfirewallpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 63f9b4b2-de99-4b16-ad94-1a5464ac4f7d Enable logging by category group for microsoft.synapse/workspaces/kustopools to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.synapse/workspaces/kustopools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 887d1795-3d3d-4859-9ef4-9447392db2ea Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application gateways (microsoft.network/applicationgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring aaa4560d-9580-4804-a5e5-b9ffb469d49e Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Data Explorer Clusters (microsoft.kusto/clusters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 02f64cac-bab0-4950-bb95-51f2d3970efa Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.timeseriesinsights/environments/eventsources. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b15247e4-f83b-48b2-b34e-8ea6148a0f34 Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0983eb33-77d7-47e5-9fa7-879f8cea012e Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 65a1573e-cc90-412b-8db2-ba60731b0ea6 Enable logging by category group for microsoft.customproviders/resourceproviders to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.customproviders/resourceproviders. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a83fcddb-39d0-4c21-af38-76d2c935c3ca Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments/eventsources. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0509e2d8-d657-4563-a7c8-b88b9180a6e8 Enable logging by category group for microsoft.community/communitytrainings to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.community/communitytrainings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a2361fd4-721d-4be2-9910-53be250b99ad Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP Prefixes (microsoft.network/publicipprefixes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 94d707a8-ce27-4851-9ce2-07dfe96a095b Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 1d98c506-1460-4424-9006-84210fa5214a Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6b80a35d-1e9a-43ac-9e0b-4519ce9f09b4 Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for HPC caches (microsoft.storagecache/caches). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f3977509-4420-4dfa-b1c9-2ab38dfd530f Enable logging by category group for microsoft.d365customerinsights/instances to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.d365customerinsights/instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a1a5f3c5-d01a-459c-8398-a3c9a79ad879 Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Video Indexer (microsoft.videoindexer/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 041e904a-33e5-45fd-b3f6-4ac95f1f8761 Enable logging by category group for microsoft.devices/provisioningservices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.devices/provisioningservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d8a9593e-791e-4fd7-9b22-a75b76e5de17 Enable logging by category group for microsoft.documentdb/mongoclusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.documentdb/mongoclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 29565b0a-e1b5-49c1-94bf-b8b258656460 Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e92686fd-65f0-420f-a52b-7da14f3cef90 Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Recovery Services vaults (microsoft.recoveryservices/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 601e350d-405c-41d0-a886-72c283f8fab2 Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Network security groups (microsoft.network/networksecuritygroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7860f3fe-0db3-42d4-bf3d-7042ea5e5787 Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbformysql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3a8ff864-d881-44ce-bed3-0c63ede634cb Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 23673f24-2594-43e9-9983-60a0be21bd76 Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network Managers (microsoft.network/networkmanagers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8963c37c-1113-4f1b-ae2e-3a5dd960a7f1 Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.timeseriesinsights/environments/eventsources. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 856331d3-0169-4dd9-9b04-cbb2ad3d1cf2 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 14ed86b4-ea45-4b1b-98a5-eb8f5f7da726 Enable logging by category group for microsoft.openenergyplatform/energyservices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.openenergyplatform/energyservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 14e81583-c89c-47db-af0d-f9ddddcccd9f Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring ac27709a-8e3a-4abf-8122-877af1dd9209 Enable logging by category group for microsoft.insights/autoscalesettings to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.insights/autoscalesettings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 887dc342-c6bd-418b-9407-ab0e27deba36 Enable logging by category group for microsoft.synapse/workspaces/kustopools to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.synapse/workspaces/kustopools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 590b6105-4715-4e8b-8049-c5a4ae07d8e9 Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fea83f6c-a18a-4338-8f1f-80ecba4c5643 Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Backup vaults (microsoft.dataprotection/backupvaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b4545446-0cac-4af5-b591-61544b66e802 Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Workspaces (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7806c8b4-afc9-4a35-b9a9-3707413df35e Enable logging by category group for microsoft.insights/autoscalesettings to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.insights/autoscalesettings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ca05d7f2-6625-4cc3-a65a-4931b45ff139 Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bot Services (microsoft.botservice/botservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring db20d5eb-782b-4c4d-b668-06816ec72c58 Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f8352124-56fa-4f94-9441-425109cdc14b Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 339855ce-39c1-4a70-adc9-103ea7aac99f Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Firewalls (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2853b2ac-3ce0-4e51-a1e3-086591e7028a Enable logging by category group for Relays (microsoft.relay/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Relays (microsoft.relay/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 79494980-ea12-4ca1-8cca-317e942b6da2 Enable logging by category group for Application Insights (microsoft.insights/components) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (microsoft.insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6b4b3d79-2eeb-4612-b3d1-99ef609ffa4e Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f969646f-b6b8-45a0-b736-bf9b4bb933dc Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5d487647-6a53-4839-8eb8-edccf5e6bf1d Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Live events (microsoft.media/mediaservices/liveevents). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ec51b91e-e03d-4435-b6e7-dcaffe6ba5c0 Enable logging by category group for microsoft.customproviders/resourceproviders to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.customproviders/resourceproviders. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d16cdb9f-e2a8-4002-88f6-9eeaea1766f7 Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e1598217-5ff1-4978-b51d-f0238e100019 Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servergroupsv2. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a6d488fc-3520-4ec8-9cf6-c5e78d677651 Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9529ceaf-8c7e-4149-bcb6-f38f63c5e4bd Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ba00f5fb-98f7-4542-b88a-16c5ce44f26a Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.autonomousdevelopmentplatform/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 005380e0-1f5b-467a-8ae8-8519938627f9 Enable logging by category group for microsoft.networkcloud/storageappliances to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/storageappliances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1888f765-327a-4a8d-9816-968b34ea8b78 Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8d42b501-dd03-449d-a070-32d1db2e546b Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed databases (microsoft.sql/managedinstances/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a474a6be-35da-4c8a-ae97-f97d03bbd213 Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dev centers (microsoft.devcenter/devcenters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Azure Update Manager 9905ca54-1471-49c6-8291-7582c04cd4d4 [Preview]: Set prerequisite for Scheduling recurring updates on Azure virtual machines. This policy will set the prerequisite needed to schedule recurring updates on Azure Update Manager by configuring patch orchestration to 'Customer Managed Schedules'. This change will automatically set the patch mode to 'AutomaticByPlatform' and enables 'BypassPlatformSafetyChecksOnUserSchedule' to 'True' on Azure VMs. The prerequisite is not applicable for Arc-enabled servers. Learn more - https://learn.microsoft.com/en-us/azure/update-manager/dynamic-scope-overview?tabs=avms#prerequisites Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7646801f-46d5-48d0-9e18-efb884944f3e Enable logging by category group for microsoft.customproviders/resourceproviders to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.customproviders/resourceproviders. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 819c6fd1-432a-4516-a9cb-0c4462af610f Enable logging by category group for microsoft.powerbi/tenants/workspaces to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.powerbi/tenants/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 557c828f-aa51-40d9-868a-cff8d3982818 Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9dc3e252-1cff-4ae5-bcad-5a92b7167d43 Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service Environments (microsoft.web/hostingenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1aa5a06a-0cee-4598-8200-94755d500381 Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6af023b1-4841-4b54-8f3d-69caa4e558cb Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application groups (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring de5d5895-642e-4d19-a14e-08a67b2dd152 Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring aa78af66-1659-40aa-90b0-b35b616adbdc Enable logging by category group for microsoft.networkanalytics/dataproducts to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkanalytics/dataproducts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bbf47f27-95e4-46a0-82e1-898ce046d857 Enable logging by category group for microsoft.azuresphere/catalogs to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.azuresphere/catalogs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ca09affa-60d6-4cef-9037-b7372e1ac44f Enable logging by category group for microsoft.network/vpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/vpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2453e322-a7e5-4905-ba1e-ac6ea60ff808 Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3d9b8097-326d-4675-8cff-cce4580c9208 Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9fcae8ed-246a-407b-8f75-f3500ff2c9db Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Batch accounts (microsoft.batch/batchaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b90ec596-faa6-4c61-9515-34085703e260 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 99b76532-523c-44da-8d28-3af059fd7fbb Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 64948b6b-409d-4af2-970f-3b80fea408c1 Enable logging by category group for microsoft.networkcloud/clusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9c79e60b-99f2-49f3-b08c-630d269bddc1 Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure AD Domain Services (microsoft.aad/domainservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 13bf624e-fe24-40f0-9a7c-066e28a50871 Enable logging by category group for microsoft.devices/provisioningservices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.devices/provisioningservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fc744b31-a930-4eb5-bc06-e81f98bf7214 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 8fc4ca5f-6abc-4b30-9565-0bd91ac49420 Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring b9d3f759-4cda-43cf-8f64-5b01aeb1c21a Enable logging by category group for microsoft.networkcloud/clusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkcloud/clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 78d285d5-f767-43f8-aa36-4616daaf9d51 Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Backup vaults (microsoft.dataprotection/backupvaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f9431f54-4c78-47ef-aac9-2b37cbaeae75 Enable logging by category group for Logic apps (microsoft.logic/workflows) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Logic apps (microsoft.logic/workflows). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 58e22268-dacf-4b7f-b445-338a7e56d23c Enable logging by category group for Logic apps (microsoft.logic/workflows) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Logic apps (microsoft.logic/workflows). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c5ecf495-6caa-445c-b431-04fda56c555a Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for ExpressRoute circuits (microsoft.network/expressroutecircuits). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f48e8ce0-91bd-4d51-8aba-8990d942f999 Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b797045a-b3cd-46e4-adc4-bbadb3381d78 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring bd0965d6-9544-406a-90b5-dc2d566670b8 Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed databases (microsoft.sql/managedinstances/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 95f9d29c-defd-4387-b73b-5cdb4a982bf0 Enable logging by category group for microsoft.dbformysql/flexibleservers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbformysql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 37d5d366-8544-498a-9106-00185b29a9e3 Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.cdn/cdnwebapplicationfirewallpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 271ccc7b-8334-48c5-b90b-edf37dfb2d00 Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data factories (V2) (microsoft.datafactory/factories). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cd0a772a-62ba-4295-8311-d6710ebe967b Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data collection rules (microsoft.insights/datacollectionrules). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5fbd326d-328c-414e-a922-2d6963998962 Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0fff3e39-f422-45b0-b497-33a05b996d3e Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid System Topics (microsoft.eventgrid/systemtopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring aec4c33f-2f2a-4fd3-91cd-24a939513c60 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a6dd4d00-283d-4765-b3d1-44ace2ccacda Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkfunction/azuretrafficcollectors. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 73fb42d8-b57f-41cd-a840-8f4dedb1dd27 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring d111f33e-5cb3-414e-aec4-427e7d1080c9 Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Analytics (microsoft.datalakeanalytics/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0b6b8abb-7761-4e02-ae0e-2c873b5152ca Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Spring Apps (microsoft.appplatform/spring). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 47f4c5ae-1b43-4620-bcbd-65e2ee6fb7c8 Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a9ebdeda-251a-4311-92be-5167d73b1682 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 69e0da8f-ca50-479d-b1a8-33a31426c512 Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8def4bdd-4362-4ed6-a26f-7bf8f2c58839 Enable logging by category group for Search services (microsoft.search/searchservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Search services (microsoft.search/searchservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fc66c506-9397-485e-9451-acc1525f0070 Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 068e22bd-8057-466b-9642-7cd2ca476158 Enable logging by category group for microsoft.timeseriesinsights/environments to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.timeseriesinsights/environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f5094957-e0f7-4af2-9e14-13d60141dc4a Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0b726841-c441-44ed-a2cc-d321e3be3ed7 Enable logging by category group for microsoft.networkcloud/storageappliances to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/storageappliances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 72d254bb-d0ed-42f2-9160-6b11b65b599c Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 499b7900-f44e-40ea-b8d3-2f3cf75f2ca4 Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3dd58519-427e-42a4-8ffc-e415a3c716f1 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 34705075-71e2-480c-a9cb-6e9387f47f0f Enable logging by category group for Relays (microsoft.relay/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Relays (microsoft.relay/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e97f20f4-8bf0-4a35-a319-38f4144228f5 Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bot Services (microsoft.botservice/botservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ae0fc3d3-c9ce-43e8-923a-a143db56d81e Enable logging by category group for microsoft.documentdb/cassandraclusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/cassandraclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fa570aa1-acca-4eea-8e5a-233cf2c5e4c2 Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Caches (microsoft.cache/redisenterprise/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bb7bbee6-718c-4a71-a474-9f9f0e2a55e4 Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 106cd3bd-50a1-466c-869f-f9c2d310477b Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e40b8f6f-0ecf-4c3b-b095-ba3562256e48 Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Analysis Services (microsoft.analysisservices/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1abe42e1-a726-4dee-94c2-79f364dac9b7 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 041fdf14-0dd4-4ce0-83ff-de5456be0c85 Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MySQL servers (microsoft.dbformysql/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3ce7ba9e-058f-4ce9-b4d6-22e6c1238904 Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cac9e1c5-c3cb-47fa-8d4c-88b8559262d2 Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6a664864-e2b5-413e-b930-f11caa132f16 Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container Apps Environments (microsoft.app/managedenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2f4d1c08-3695-41a7-a0a0-8db4a0e25233 Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Recovery Services vaults (microsoft.recoveryservices/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 63a8eb0d-f030-4bc6-a1e4-6998f23aa160 Enable logging by category group for microsoft.networkcloud/clusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3d034ef2-001c-46f6-a47b-e6e4a74ff89b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 20017523-2fd1-49a8-a766-79cbc572b827 Enable logging by category group for microsoft.timeseriesinsights/environments to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.timeseriesinsights/environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fcfe6bfa-dd36-40ef-ab2b-ed46f7d4abdb Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 40654dcd-0b26-49d6-aeaf-d12d7c1e8c4d Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 68d95589-2f07-42e3-ae6d-80a2ae3edbc4 Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Load Testing (microsoft.loadtestservice/loadtests). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 889bfebf-7428-426e-a86f-79e2a7de2f71 Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Load balancers (microsoft.network/loadbalancers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 60579569-3633-42cb-ae6a-195080bf310d Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkfunction/azuretrafficcollectors. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 77c56019-5c71-4d33-9ce3-7a817f2bc7fa Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Shares (microsoft.datashare/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ae48c709-d2b4-4fad-8c5c-838524130aa4 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring c13b41e7-a45f-4600-96c0-18f84fb07771 Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.connectedcache/enterprisemcccustomers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 751f9297-5aae-4313-af2d-2a89226a7856 Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data factories (V2) (microsoft.datafactory/factories). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4c9cd884-3e45-4588-ac9d-00d44be2cbcd Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f231d9f4-9110-40eb-979e-e4eac6602be2 Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure API for FHIR (microsoft.healthcareapis/services). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 305408ed-dd5a-43b9-80c1-9eea87a176bb Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Synapse Analytics (microsoft.synapse/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b9c8d1de-593f-472f-b32a-7e2fe0c2374a Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Communication Services (microsoft.communication/communicationservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ed6ae75a-828f-4fea-88fd-dead1145f1dd Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring c1c0dd3c-6354-4265-a88b-801f84649944 Enable logging by category group for microsoft.documentdb/cassandraclusters to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.documentdb/cassandraclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8e29fe36-d794-4c55-87d6-5a206031dde2 Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed CCF Apps (microsoft.confidentialledger/managedccfs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1568dd08-cca0-4073-bfd8-e08a7fdc543e Enable logging by category group for microsoft.workloads/sapvirtualinstances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.workloads/sapvirtualinstances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5f6f2aba-e57f-42ed-9aeb-ffa7321a56db Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f55ffc18-72c5-479c-a998-dc6806a6fa89 Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Host pools (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d8624de8-47fe-47c0-bea0-2d8329b628fe Enable logging by category group for microsoft.network/vpngateways to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/vpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0e4325e3-228b-40f0-83ae-9c03276858c1 Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Connected Cache Resources (microsoft.connectedcache/ispcustomers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring dfbfceaa-14b2-4a90-a679-d169fa6a6a38 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring da9b245a-05a9-4c2a-acb3-5afe62658776 Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Integration accounts (microsoft.logic/integrationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fe85de62-a656-4b79-9d94-d95c89319bd9 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 1c5187ed-9863-4961-bb92-c72bc3883e24 Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Load Testing (microsoft.loadtestservice/loadtests). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e488a548-7afd-43a7-a903-2a6dd36e7504 Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 852877d5-b61d-4741-b649-85a324bb3fd4 Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Shares (microsoft.datashare/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0bb5a1fb-b1ad-45fd-880e-a590f2ec8d1c Enable logging by category group for microsoft.documentdb/cassandraclusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/cassandraclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring c3b912c2-7f5b-47ac-bd52-8c85a7667961 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 315c965f-c0d7-4397-86d3-c05a0981437a Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/workspaces/onlineendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e7c86682-34c1-488a-9aab-9cb279207992 Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 03a087c0-b49f-4440-9ae5-013703eccc8c Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 064a3695-3197-4354-816b-65c7b952db9e Enable logging by category group for microsoft.documentdb/mongoclusters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.documentdb/mongoclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 76e7a3b8-3822-4ca2-92d8-c20616fd870b Enable logging by category group for microsoft.powerbi/tenants/workspaces to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.powerbi/tenants/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f7407db8-e40d-4efd-9fff-c61298e01fd5 Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a9725bd4-a2ad-479f-a29b-5e163cada399 Enable logging by category group for microsoft.networkcloud/baremetalmachines to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/baremetalmachines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8d253bba-a338-4fd9-9752-6b6edadca1eb Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 4891dace-710e-40bd-b81f-6a0b9871b50b Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Notification Hub Namespaces (microsoft.notificationhubs/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0f708273-cf83-4d29-b31b-ebaf8d0eb8c2 Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 73baf464-93bb-450f-bda5-209c16d28dc3 Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3372b9c2-d179-4190-9f0c-e6f6304d0e93 Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application groups (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 60af09fa-d167-44da-9bfc-21a49546a7b5 Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Backup vaults (microsoft.dataprotection/backupvaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4f925033-4d52-4619-909c-9c47a687dc51 Enable logging by category group for microsoft.networkcloud/storageappliances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkcloud/storageappliances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 84509667-1a94-4255-9e5f-b479075c1069 Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servergroupsv2. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring fc2bb2e1-739a-4a03-86a2-16ad55e90bd9 Enable logging by category group for microsoft.powerbi/tenants/workspaces to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.powerbi/tenants/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 34c7546c-d637-4b5d-96ab-93fb6ed07af8 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring d3e11828-02c8-40d2-a518-ad01508bb4d7 Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 116b1633-30d0-4e9a-a665-8aea3dc906c6 Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.servicenetworking/trafficcontrollers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ccdd9d7c-2bb6-465b-8ea1-5584b4af072e Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.connectedcache/enterprisemcccustomers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cf6ff94d-c483-4491-976a-eb784101217a Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 83089e56-9675-4bc8-ae7d-ca4547dc764b Enable logging by category group for microsoft.network/networksecurityperimeters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/networksecurityperimeters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5164fdc7-cfcd-4bd8-a3e9-f4be93166cde Enable logging by category group for microsoft.workloads/sapvirtualinstances to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.workloads/sapvirtualinstances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ee64264d-f9e3-4a0e-bbe2-db4319aeaf42 Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Endpoints (microsoft.cdn/profiles/endpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 81039988-1f84-4aa6-8039-0a64c2a301b4 Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Playwright Testing (microsoft.azureplaywrightservice/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring cc789f91-3e63-4cfb-86f4-87565055f269 Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/workspaces/onlineendpoints. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6ccd32f6-0a9a-40cf-9c5b-6cfd6aba33e9 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0925a080-ab8d-44a1-a39c-61e184b4d8f9 Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6201aeb7-2b5c-4671-8ab4-5d3ba4d77f3b Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2e8a8853-917a-4d26-9c3a-c92a7fa031e8 Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring dfe69c56-9c12-4271-9e62-7607ab669582 Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 10e8c93c-658d-47e8-aa6f-ed60f329c060 Enable logging by category group for microsoft.documentdb/mongoclusters to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.documentdb/mongoclusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 322b6192-a99b-4ab6-9b40-43ca19dcd0d9 Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8464ded4-af15-4319-950f-a30400d35247 Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Integration accounts (microsoft.logic/integrationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 244bcb20-b194-41f3-afcc-63aef382b64c Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics (Virtual Enclaves) Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Patch (1.0.0 > 1.0.1) 2024-04-29 17:47:10 BuiltIn
Monitoring 1118afbc-c48d-43ae-931a-87b38956d40b Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 63d1a629-735c-448b-b45f-5e3865e84cf5 Enable logging by category group for Logic apps (microsoft.logic/workflows) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Logic apps (microsoft.logic/workflows). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 668e9597-4ccc-452f-80be-e9dd5b2ab897 Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Power BI Embedded (microsoft.powerbidedicated/capacities). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a26c842f-bee7-4a1f-9ae1-a973d3a0075a Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container Apps Environments (microsoft.app/managedenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring eb5a4c26-04cb-4ab1-81cb-726dc58df772 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring b70d4e3a-b1d5-4432-b058-7ea0a4c02a4e Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.connectedcache/enterprisemcccustomers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6f7fa8b1-4456-4d4c-94c2-1f1651b18235 Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.classicnetwork/networksecuritygroups. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9f4e810a-899e-4e5e-8174-abfcf15739a3 Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 35806bc0-0260-4642-bae7-0ed677b3da44 Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Chaos Experiments (microsoft.chaos/experiments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2308e22a-85e9-431d-8c47-36072dfa64b5 Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.servicenetworking/trafficcontrollers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 56288eb2-4350-461d-9ece-2bb242269dce Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 40f0d036-d73d-45a9-8c3d-f3f84d227193 Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Batch accounts (microsoft.batch/batchaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring baa4c6de-b7cf-4b12-b436-6e40ef44c8cb Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Network security groups (microsoft.network/networksecuritygroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 116caf13-2666-4a2e-afca-9a5f1e671b11 Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Power BI Embedded (microsoft.powerbidedicated/capacities). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 140ad507-70f0-43cb-a7cb-a8964341aefa Enable logging by category group for Application Insights (microsoft.insights/components) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Application Insights (microsoft.insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring acbb9698-46bd-4800-89da-e3473c4ab10d Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Communication Services (microsoft.communication/communicationservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring be26ca28-761d-4538-b78a-975eb47c680c Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b88bfd90-4da5-43eb-936f-ae1481924291 Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5b67d7f3-488f-42df-ab16-e38a913fcdba Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Spring Apps (microsoft.appplatform/spring). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 75a112bc-759f-4f29-83cc-799019db39c3 Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Load Testing (microsoft.loadtestservice/loadtests). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bbdbb83b-cbfe-49f7-b7d1-1126630a68b7 Enable logging by category group for microsoft.dbforpostgresql/servers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.dbforpostgresql/servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b9b976cc-59ef-468a-807e-19afa2ebfd52 Enable logging by category group for microsoft.network/p2svpngateways to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5a1fa110-16bc-49d0-a045-29a552b67cef Enable logging by category group for microsoft.synapse/workspaces/kustopools to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.synapse/workspaces/kustopools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1bd91eae-4429-4f23-b780-8c9622e023e3 Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure AD Domain Services (microsoft.aad/domainservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5360664a-5821-4f43-8988-3f0ed8f3f8a5 Enable logging by category group for microsoft.networkanalytics/dataproducts to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkanalytics/dataproducts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 50d96640-65c9-42de-b79a-95c1890c6ec8 Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.networkfunction/azuretrafficcollectors. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e260a121-c160-4da3-8a0f-e2c0ff6c561e Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for FHIR service (microsoft.healthcareapis/workspaces/fhirservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e9b1fed8-35a2-47d0-b8aa-3834f5032862 Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Synapse Analytics (microsoft.synapse/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bdef6e51-210f-4dc3-87b4-eef30f2e6a17 Enable logging by category group for microsoft.community/communitytrainings to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.community/communitytrainings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b55f2e8e-dc76-4262-a0e3-45f02200ff0e Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP Prefixes (microsoft.network/publicipprefixes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 33835ef6-bc67-4bde-bf5f-5a857f195a57 Enable logging by category group for microsoft.machinelearningservices/registries to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.machinelearningservices/registries. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b14e31e2-22d0-48bb-907e-cfb3487e2120 Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for HPC caches (microsoft.storagecache/caches). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 18009236-18d3-48e3-bd21-4e7630153611 Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Connected Cache Resources (microsoft.connectedcache/ispcustomers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 234bbd1b-05f6-4639-8770-1cd5278ba2c9 Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.autonomousdevelopmentplatform/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8d0726a6-abae-4b04-9d2e-1f2f67a47e6d Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f0d25196-1ea4-49e1-ad53-ccada27b4862 Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for DICOM service (microsoft.healthcareapis/workspaces/dicomservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 98569e20-8f32-4f31-bf34-0e91590ae9d3 Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-29 17:47:10 BuiltIn
Monitoring d9f11fea-dd45-46aa-8908-b7a146f1e543 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 434b25a4-5396-41ec-97aa-1f4ae3bf269d Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Analysis Services (microsoft.analysisservices/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3534c358-8a1c-4601-b6ff-43d378d65efa Enable logging by category group for microsoft.devices/provisioningservices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.devices/provisioningservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 605dd1c9-db6f-496f-ba7f-841ea3e246e0 Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MySQL servers (microsoft.dbformysql/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2f6556cb-a2da-4130-a0dd-e5d05dccf9bb Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Video Indexer (microsoft.videoindexer/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9b6f89db-876b-4156-9f9b-f29dcf302ad2 Enable logging by category group for microsoft.azuresphere/catalogs to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.azuresphere/catalogs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 69214fad-6742-49a9-8f71-ee9d269364ab Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2fbd2ca9-e7b2-47a0-a8b2-575f3f7607d4 Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.cdn/cdnwebapplicationfirewallpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b6f29e6b-4b21-4bb6-a997-38592fa02864 Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed CCF Apps (microsoft.confidentialledger/managedccfs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 20e491a1-11fe-4d11-ab4e-a81edd23672e Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring be3ddb6b-c328-4ecd-91e8-c2804868ea9c Enable logging by category group for microsoft.dbformysql/flexibleservers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbformysql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2eb903dd-4881-4284-a31d-4bae3f053946 Enable logging by category group for microsoft.community/communitytrainings to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.community/communitytrainings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 087dbf66-448d-4235-b7b8-17af48edc9db Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.classicnetwork/networksecuritygroups. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a21ac20a-4dd3-40e9-8036-b3351ecf9319 Enable logging by category group for microsoft.timeseriesinsights/environments to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.timeseriesinsights/environments. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 07c818eb-df75-4465-9233-6a8667e86670 Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 7a8afaba-cc24-4306-b83f-d178f1a10ba2 Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Power BI Embedded (microsoft.powerbidedicated/capacities). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 90c90eda-bfe7-4c67-bf26-410420ed1047 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5a69fd36-760e-4a65-a621-836f1159e304 Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.notificationhubs/namespaces/notificationhubs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b4a9c220-1d62-4163-a17b-30db7d5b7278 Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring f6d5d5d5-0fa9-4257-b820-69c35016c973 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2db34cad-25ef-48e3-a787-c2cd36434cd7 Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 621d8969-4918-45e7-954b-2fb0b42e7059 Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a78631da-8506-4113-96f4-2805de193083 Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Managed Grafana (microsoft.dashboard/grafana). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 2cb215be-a09b-4623-ac2f-dfc5012b1a5b Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for ExpressRoute circuits (microsoft.network/expressroutecircuits). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0dac4c0b-0ca4-4c6e-9a09-61917873b3b0 Enable logging by category group for microsoft.networkcloud/baremetalmachines to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.networkcloud/baremetalmachines. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 22c8a30b-c5c1-4434-b837-2772543d3c3c Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid System Topics (microsoft.eventgrid/systemtopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 82b076b9-2062-4516-ae4c-37b1890eabb2 Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Dev centers (microsoft.devcenter/devcenters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 50bdafe5-c7b6-4812-af5f-75dc00561aed Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Firewalls (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a05c2daf-be1f-4d2c-8a12-b3627d477b44 Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed databases (microsoft.sql/managedinstances/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e1bf4d43-542a-4410-918d-7e61c8e1ac21 Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e9e99d63-621a-4a33-8799-0fb53e43f162 Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Scaling plans (microsoft.desktopvirtualization/scalingplans). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 824142d3-eccb-4b7c-8403-319610811237 Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data collection rules (microsoft.insights/datacollectionrules). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f48c1843-fc88-47c1-9b01-4527c76c890a Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Managed Grafana (microsoft.dashboard/grafana). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8181847d-3422-4030-b815-481934740b63 Enable logging by category group for microsoft.azuresphere/catalogs to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.azuresphere/catalogs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a08af17e-c2a3-478e-a819-94839ef02b32 Enable logging by category group for microsoft.network/networkmanagers/ipampools to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/networkmanagers/ipampools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8ea88471-98e1-47e4-9f63-838c990ba2f4 Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Scaling plans (microsoft.desktopvirtualization/scalingplans). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5e6697bc-9d6d-4de9-95f9-898f130372df Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Video Indexer (microsoft.videoindexer/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a5385dba-3caf-43da-8804-c68174d315a7 Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Storage Gen1 (microsoft.datalakestore/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 50ca36f4-5306-4275-ad42-a40ca2805c77 Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Databricks Services (microsoft.databricks/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 76539a09-021e-4300-953b-4c6018ac26dc Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6f3f5778-f809-4755-9d8f-bd5a5a7add85 Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0fdc6116-c747-449c-b9cc-330fcd4c5c9c Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/dnsresolverpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6b359d8f-f88d-4052-aa7c-32015963ecc1 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 9ba29e83-863d-4fec-81d0-16dd87067cc3 Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6248cb7c-e485-42ad-ba20-b1ee8fba7674 Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Databricks Services (microsoft.databricks/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b678d84d-9723-4df0-a131-82c730231f1e Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Recovery Services vaults (microsoft.recoveryservices/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e0f5ec01-8979-49bf-9fd7-2a4eff9fa8e0 Enable logging by category group for microsoft.network/vpngateways to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/vpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d7d59290-3ee5-4c1b-b408-c38b21799aea Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.managednetworkfabric/networkdevices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 69ab8bfc-dc5b-443d-93a7-7531551dec66 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0e0c742d-5031-4e65-bf96-1bee7cf55740 Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3d7d0cc7-bd72-4f41-bf55-0be57faa3883 Enable logging by category group for microsoft.dbforpostgresql/servers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 42e5ad1f-57fd-49a7-b0e4-c7a7ae25ba3d Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a285df35-0164-4f4d-9e04-c39056742c55 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0ba93a1b-ac4d-4e7b-976a-548a18be1e52 Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Experiment Workspaces (microsoft.experimentation/experimentworkspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3ca36b5c-2f29-41a0-9b1d-80e2cdf2d947 Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Load balancers (microsoft.network/loadbalancers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring ebd6e41f-c33e-4e16-9249-cee4c68e6e8c Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.notificationhubs/namespaces/notificationhubs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a81eb966-6696-46b1-9153-bed01569a7d0 Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring a972fe34-7882-4476-87cf-eb9631785fb5 Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servergroupsv2. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 90425e88-1eab-420c-964e-fc1dc79833a6 Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Batch accounts (microsoft.batch/batchaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 614d9fbd-68cd-4832-96db-3362069661b2 Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 971199b6-1971-4d3e-85b0-fa7639044679 Enable logging by category group for Search services (microsoft.search/searchservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Search services (microsoft.search/searchservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5305ea79-c247-456a-bdbd-dc35cef62ce1 Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Dev centers (microsoft.devcenter/devcenters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e9c56c41-d453-4a80-af93-2331afeb3d82 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 637125fd-7c39-4b94-bb0a-d331faf333a9 Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 145ff119-bfcf-443a-834c-b59859ec3ee7 Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Caches (microsoft.cache/redisenterprise/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 93a604fe-0ec2-4a99-ab8c-7ef08f05555a Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring efa9bf93-28f9-4f05-8e8c-31b8875e9713 Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Storage movers (microsoft.storagemover/storagemovers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1859cd03-7f77-495d-a0ce-336a36a6830d Enable logging by category group for Application Insights (microsoft.insights/components) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application Insights (microsoft.insights/components). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring abb62520-ee66-4bdb-96d3-49ad98c66131 Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Spring Apps (microsoft.appplatform/spring). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8af74447-9495-4245-8e49-f74723dcd231 Enable logging by category group for microsoft.openenergyplatform/energyservices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.openenergyplatform/energyservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4c67a1c0-8e77-4f4b-b572-5c11695aae2d Enable logging by category group for microsoft.d365customerinsights/instances to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.d365customerinsights/instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3d28ea18-8e88-4160-96ff-4b6af4fd94c7 Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for HPC caches (microsoft.storagecache/caches). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 55d1f543-d1b0-4811-9663-d6d0dbc6326d Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 69d4fcec-8426-426a-ad48-439fd3b14e9e Enable logging by category group for microsoft.dbforpostgresql/servers to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.dbforpostgresql/servers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d3abca82-2ae2-4707-bf5e-cfc765ce9ff1 Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.servicenetworking/trafficcontrollers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e25bcb29-0412-42c3-a526-1ff794310a1e Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure API for FHIR (microsoft.healthcareapis/services). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 20f21bc7-b0b8-4d57-83df-5a8a0912b934 Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring d147ba9f-3e17-40b1-9c23-3bca478ba804 Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring c600af08-49ff-4f7a-b5c9-0686749387b7 Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container instances (microsoft.containerinstance/containergroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 7e87b2cc-1e49-4e07-a651-a2f38d4667ad Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Data collection rules (microsoft.insights/datacollectionrules). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e74570cf-1b7d-4bed-b79e-d1fd1117a39a Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Endpoints (microsoft.cdn/profiles/endpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f08edf17-5de2-4966-8c62-a50a3f4368ff Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 6ee1c58c-a123-4cd6-8643-48b2f7ffb3e1 Enable logging by category group for microsoft.network/networkmanagers/ipampools to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networkmanagers/ipampools. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1bd3a451-9f38-43e5-aed3-bede117c3055 Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Data Lake Analytics (microsoft.datalakeanalytics/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 40ce1496-89c2-40cf-80e5-3c4687d2ee4b Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual networks (microsoft.network/virtualnetworks). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1cd30d13-d34c-4cb8-8f9d-4692f7d40d97 Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Chaos Experiments (microsoft.chaos/experiments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d98f63ed-e319-4dc3-898f-600953a05f7e Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Managed Grafana (microsoft.dashboard/grafana). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring edf35972-ed56-4c2f-a4a1-65f0471ba702 Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 9dbcaaa7-0c1b-4861-81c2-d340661b4382 Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SCOPE pools (microsoft.synapse/workspaces/scopepools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 818719e5-1338-4776-9a9d-3c31e4df5986 Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring adeec880-527c-4def-a2bf-3053be70eef8 Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.managednetworkfabric/networkdevices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 00ec9865-beb6-4cfd-82ed-bd8f50756acd Enable logging by category group for microsoft.network/p2svpngateways to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0fcf2d91-8951-43be-9505-ab43dee2f580 Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 93319447-e347-406b-953f-618c3b599554 Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for ExpressRoute circuits (microsoft.network/expressroutecircuits). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3893777a-aaf0-4b74-b08a-14ca9e5a9608 Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container Apps Environments (microsoft.app/managedenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring aade2723-e7f6-46fd-b1dc-e6c2c7f7edc4 Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for 1ES Hosted Pools (microsoft.cloudtest/hostedpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 14681907-c749-4d60-8eae-1038537fb8a3 Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring dc1b5908-da05-4eed-a988-c5e32fdb682d Enable logging by category group for microsoft.network/dnsresolverpolicies to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/dnsresolverpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0da6faeb-d6c6-4f6e-9f49-06277493270b Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2d8b0f41-9850-4bac-b63b-96a882a0e683 Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Connected Cache Resources (microsoft.connectedcache/ispcustomers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5e23caa9-3cea-4f5b-a181-ba6a3bdb91ef Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure API for FHIR (microsoft.healthcareapis/services). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 39741c6f-5e8b-4511-bba4-6662d0e0e2ac Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 12000b3e-e38b-4bef-9098-38785f06ea32 Enable logging by category group for microsoft.machinelearningservices/registries to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.machinelearningservices/registries. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 68ba9fc9-71b9-4e6f-9cf5-ecc07722324c Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 58cb2d8e-623c-4557-bb4e-0b64cb41ec55 Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Service Environments (microsoft.web/hostingenvironments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0e861bb0-d926-4cdb-b2d6-d59336b8f5b3 Enable logging by category group for microsoft.networkanalytics/dataproducts to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.networkanalytics/dataproducts. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 792f8b74-dc05-44fd-b90d-340a097b80e6 Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3496f6fd-57ba-485c-8a14-183c4493b781 Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 3ec48f10-33fc-40d2-aaf2-028c4f7bbd02 Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MySQL servers (microsoft.dbformysql/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e2526c67-0363-4da9-96f8-a95d746cf60b Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Playwright Testing (microsoft.azureplaywrightservice/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a8de4d0a-d637-4684-b70e-6df73b74d117 Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 4ce6d386-fc8e-4ac4-9bff-e5859625cea4 Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Endpoints (microsoft.cdn/profiles/endpoints). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 867c08d5-bc47-404d-9a1b-0aec7a8d34eb Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Workspaces (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f62b9eab-b489-4388-9874-b0a62ca31327 Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 50cebe4c-8021-4f07-bcb2-6c80622444a9 Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring ffe49e3d-50dd-4137-8fe5-6877c4384b69 Enable logging by category group for microsoft.workloads/sapvirtualinstances to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.workloads/sapvirtualinstances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3c25d50c-bd5a-4f98-a0de-2495e000cfa7 Enable logging by category group for microsoft.openenergyplatform/energyservices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.openenergyplatform/energyservices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5a6186f9-04a4-4320-b6ed-a1c3f2ebbc3b Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 0eb11858-8d9f-4525-b9ab-cc5eab07d27a Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed CCF Apps (microsoft.confidentialledger/managedccfs). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9df7e623-1f7c-47fa-9db6-777c9a3f2636 Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.autonomousdevelopmentplatform/workspaces. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 6308bf75-8340-4bab-b2ec-2f5000697af4 Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.classicnetwork/networksecuritygroups. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 257954d9-4adf-410b-9751-3bb22fe9c180 Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure AD Domain Services (microsoft.aad/domainservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 56ae9f08-b8c9-4a0f-8f58-5dbcd63bef84 Enable logging by category group for Relays (microsoft.relay/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Relays (microsoft.relay/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5798b390-1b02-47b7-88fb-90adf07e8d1b Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 8d0e693f-1b54-41d1-880e-199c3caed23f Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual networks (microsoft.network/virtualnetworks). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 17f18067-406f-49b2-84ce-d1eb66c3fc75 Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Live events (microsoft.media/mediaservices/liveevents). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 4b05de63-3ad2-4f6d-b421-da21f1328f3b Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring e6acdfc4-25e3-4b36-9b0c-5c5743edd1b7 Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Workspaces (microsoft.desktopvirtualization/workspaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a819f227-229d-44cb-8ad6-25becdb4451f Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Data Explorer Clusters (microsoft.kusto/clusters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 480ee186-7504-48ac-b64e-af38673aa2c6 Enable logging by category group for Search services (microsoft.search/searchservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Search services (microsoft.search/searchservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 39078c44-b8d4-4c7d-8579-7f021d326ebf Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Chaos Experiments (microsoft.chaos/experiments). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0ebe872d-7029-4292-88bc-ad3e2cf3772f Enable logging by category group for microsoft.network/networksecurityperimeters to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/networksecurityperimeters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e99ab54f-260e-4925-a70f-8fe0a92443ef Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Storage movers (microsoft.storagemover/storagemovers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 059e6dd0-544a-4c93-abad-b3ad77667339 Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Host pools (microsoft.desktopvirtualization/hostpools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5d7409c0-fb8e-4052-9969-ef09f12fd166 Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Live events (microsoft.media/mediaservices/liveevents). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 08240c20-e48f-47d9-9305-2a8c4da75a3e Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Storage movers (microsoft.storagemover/storagemovers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 30499756-47d6-493c-9e57-ee3db2d9fa96 Enable logging by category group for microsoft.insights/autoscalesettings to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.insights/autoscalesettings. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 3227dfd8-3536-4336-94c9-78633be6baa2 Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Analysis Services (microsoft.analysisservices/servers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 5edd2580-3272-4509-b121-57054b4c70c4 Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Topics (microsoft.eventgrid/partnertopics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 82333640-495e-4249-92bb-2a5e2d07b964 Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network Managers (microsoft.network/networkmanagers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bd0079c6-6f2d-42f4-9cee-e23930968f10 Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.dbforpostgresql/flexibleservers. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring d4d93413-9560-4252-a16d-b8c3bbaf5baf Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data Lake Analytics (microsoft.datalakeanalytics/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 9756f174-ca74-4d7a-a56e-7104d8a954b0 Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Communication Services (microsoft.communication/communicationservices). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0628b917-d4b4-4af5-bc2b-b4f87cd173ab Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-29 17:47:10 BuiltIn
Monitoring ba0ba89c-1137-407f-ae7a-19152ea7ae82 Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Load balancers (microsoft.network/loadbalancers). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 60ad0a9f-f760-45ff-ab94-4c64d7439f18 Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container instances (microsoft.containerinstance/containergroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring b79bf56e-c296-4829-afea-6ac9263e7687 Enable logging by category group for microsoft.network/dnsresolverpolicies to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/dnsresolverpolicies. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 958060c2-8d8e-478e-b3ec-d3d2249b461c Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Code Signing Accounts (microsoft.codesigning/codesigningaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring f018b68f-d953-4238-81a3-94a0f39507e3 Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SCOPE pools (microsoft.synapse/workspaces/scopepools). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 54c7cff6-a032-43e1-9656-d4c24665f805 Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.notificationhubs/namespaces/notificationhubs. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring a511ca63-0a10-46e3-960b-bb6431e9e1a3 Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.managednetworkfabric/networkdevices. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 167dbbbc-a03a-4ebe-8e46-c34cc67f7d9d Enable logging by category group for microsoft.d365customerinsights/instances to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.d365customerinsights/instances. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 84d8a69f-788a-4025-ba96-f36406cc9ee5 Enable logging by category group for microsoft.machinelearningservices/registries to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.machinelearningservices/registries. Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 11638078-a29c-4cf3-ad7f-775f78327425 Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Application gateways (microsoft.network/applicationgateways). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 144aa510-91a0-4de9-9800-43a7ef5e947f Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Data factories (V2) (microsoft.datafactory/factories). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring bf6af3d2-fbd5-458f-8a40-2556cf539b45 Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 2137dd9f-94ac-413f-93a8-d068966308c9 Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Data Explorer Clusters (microsoft.kusto/clusters). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 1840aef8-71df-4a30-a108-efdb4f291a7f Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Integration accounts (microsoft.logic/integrationaccounts). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring e76ef589-c7d6-42cf-a61a-13471f6f50cd Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Caches (microsoft.cache/redisenterprise/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 0120ef84-66e7-4faf-aad8-14c36389697e Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Network security groups (microsoft.network/networksecuritygroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 46b2dd5d-3936-4347-8908-b298ea4466d3 Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-29 17:47:10 BuiltIn
Monitoring 5fcf46f9-194c-47ff-8889-380f57ae4617 Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewalls (microsoft.network/azurefirewalls). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Monitoring 99b3bfad-aef0-476d-ae98-40861f8eae22 Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application groups (microsoft.desktopvirtualization/applicationgroups). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
add
new Policy 2024-04-29 17:47:10 BuiltIn
Security Center 09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Security Center 04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Security Center 242300d6-1bfc-4d64-8d01-cee583709ebd Configure the Microsoft Defender for SQL Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.2.0 > 1.3.0) 2024-04-22 16:32:55 BuiltIn
Managed Identity d367bd60-64ca-4364-98ea-276775bddd94 [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machines. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) 2024-04-22 16:32:55 BuiltIn
Managed Identity 516187d4-ef64-4a1b-ad6b-a7348502976c [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets Create and assign a built-in user-assigned managed identity or assign a pre-created user-assigned managed identity at scale to virtual machine scale sets. For more detailed documentation, visit aka.ms/managedidentitypolicy. Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
count: 002
Contributor
User Access Administrator
change
Minor, suffix remains equal (1.0.6-preview > 1.1.0-preview) 2024-04-22 16:32:55 BuiltIn
Communication bcff6755-335b-484d-b435-d1161db39cdc Communication service resource should use a managed identity Assigning a managed identity to your Communication service resource helps ensure secure authentication. This identity is used by this Communication service resource to communicate with other Azure services, like Azure Storage, in a secure way without you having to manage any credentials. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-22 16:32:55 BuiltIn
Security Center 63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-04-22 16:32:55 BuiltIn
Security Center da0fd392-9669-4ad4-b32c-ca46aaa6c21f Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.3.0 > 1.4.0) 2024-04-22 16:32:55 BuiltIn
Communication 93c45b74-42a1-4967-b25d-82c4dc630921 Communication service resource should use allow listed data location Create a Communication service resource only from an allow listed data location. This data location determines where the data of the communication service resource will be stored at rest, ensuring your preferred allow listed data locations as this cannot be changed after resource creation. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-22 16:32:55 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-04-22 16:32:55 BuiltIn
Security Center c859b78a-a128-4376-a838-e97ce6625d16 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Minor (1.4.0 > 1.5.0) 2024-04-22 16:32:55 BuiltIn
Security Center 3d5ed4c2-5e50-4c76-932b-8982691b68ae Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers Enable Advanced Threat Protection on your Azure database for MySQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
add
new Policy 2024-04-12 17:45:57 BuiltIn
Security Center cfdc5972-75b3-4418-8ae1-7f5c36839390 Configure Microsoft Defender for Storage to be enabled Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Owner
change
Minor (1.1.0 > 1.2.0) 2024-04-12 17:45:57 BuiltIn
Guest Configuration 3dc5edcd-002d-444c-b216-e123bbfa37c0 Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.1.0-preview > 1.1.1) 2024-04-12 17:45:57 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring 59c3d93f-900b-4827-a8bd-562e7b956e7c Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.5.0 > 3.6.0) 2024-04-12 17:45:57 BuiltIn
Monitoring 1afdc4b6-581a-45fb-b630-f1e6051e3e7a Linux virtual machines should have Azure Monitor Agent installed Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring 845857af-0333-4c5d-bbbc-6076697da122 Configure Linux Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.3.0 > 2.4.0) 2024-04-12 17:45:57 BuiltIn
Guest Configuration ca88aadc-6e2b-416c-9de2-5a0f01d1693f Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost. Although a virtual machine's OS and data disks are encrypted-at-rest by default using platform managed keys; resource disks (temp disks), data caches, and data flowing between Compute and Storage resources are not encrypted. Use Azure Disk Encryption or EncryptionAtHost to remediate. Visit https://aka.ms/diskencryptioncomparison to compare encryption offerings. This policy requires two prerequisites to be deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Patch, old suffix: preview (1.2.0-preview > 1.2.1) 2024-04-12 17:45:57 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Azure Ai Services 55eff01b-f2bd-4c32-9203-db285f709d30 Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Cognitive Services Contributor
Cognitive Services OpenAI Contributor
add
new Policy 2024-04-12 17:45:57 BuiltIn
Monitoring 32ade945-311e-4249-b8a4-a549924234d7 Linux virtual machine scale sets should have Azure Monitor Agent installed Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-04-12 17:45:57 BuiltIn
Monitoring f17d891d-ff20-46f2-bad3-9e0a5403a4d3 Linux Arc-enabled machines should have Azure Monitor Agent installed Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-04-12 17:45:57 BuiltIn
Monitoring a4034bc6-ae50-406d-bf76-50f4ee5a7811 Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.4.0 > 3.5.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview) 2024-04-12 17:45:57 BuiltIn
Monitoring ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.5.0 > 3.6.0) 2024-04-12 17:45:57 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.4.0 > 4.5.0) 2024-04-12 17:45:57 BuiltIn
Azure Ai Services d45520cb-31ca-44ba-8da2-fcf914608544 Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 003
Cognitive Services Contributor
Cognitive Services OpenAI Contributor
Search Service Contributor
add
new Policy 2024-04-12 17:45:57 BuiltIn
Monitoring 56a3e4f8-649b-4fac-887e-5564d11e8d3a Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.4.0 > 3.5.0) 2024-04-12 17:45:57 BuiltIn
Kubernetes e16d171b-bfe5-4d79-a525-19736b396e92 [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Kubernetes 8e875f96-2c56-40ca-86db-b9f6a0be7347 [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 6567d3f3-42d0-4cfb-9606-9741ba60fa07 Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 1a3b9003-eac6-4d39-a184-4a567ace7645 [Preview]: Kubernetes cluster container images must include the preStop hook Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 9e6aee71-3781-4acd-bba7-aac4fb067dfa Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Monitoring fc602c00-2ce3-4556-b615-fa4159517103 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 39aa567d-69c2-4cc0-aaa9-76c6d4006b14 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 1513498c-3091-461a-b321-e9b433218d28 Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Monitoring 480851ae-9ff3-49d1-904c-b5bd6f83f1ec Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 002
Azure Event Hubs Data Owner
Log Analytics Contributor
change
Minor (1.1.0 > 1.2.0) 2024-04-08 17:52:20 BuiltIn
Cognitive Services 0725b4dd-7e76-479c-a735-68e7ee23d5ca [Deprecated]: Cognitive Services accounts should disable public network access To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, new suffix: deprecated (3.0.1 > 3.1.0-deprecated) 2024-04-08 17:52:20 BuiltIn
Security Center 0b15565f-aa9e-48ba-8619-45960f2c314d Email notification to subscription owner for high severity alerts should be enabled To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (2.0.0 > 2.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 8656d368-0643-4374-a63f-ae0ed4da1d9a Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring 441af8bf-7c88-4efc-bd24-b7be28d4acce Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Monitoring e20f31d7-6b6d-4644-962a-ae513a85ab0b Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). Default
DeployIfNotExists
Allowed
DeployIfNotExists, AuditIfNotExists, Disabled
count: 001
Log Analytics Contributor
change
Minor (1.0.0 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Security Center 6e2593d9-add6-4083-9c9b-4b7d2188c899 Email notification for high severity alerts should be enabled To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.0.1 > 1.1.0) 2024-04-08 17:52:20 BuiltIn
Kubernetes 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Kubernetes 021f8078-41a0-40e6-81b6-c6597da9f3ee [Preview]: Kubernetes cluster container images should not include latest image tag Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Kubernetes 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers. Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Kubernetes d77f191e-2338-45d0-b6d4-4ee1c586a192 [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption Default
Mutate
Allowed
Mutate, Disabled
add
new Policy 2024-04-08 17:52:20 BuiltIn
Network 052c180e-287d-44c3-86ef-01aeae2d9774 Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics If a virtual network already has traffic analytics enabled, then, this policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Contributor
change
Patch (1.1.1 > 1.1.2) 2024-03-29 18:59:24 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (6.2.0 > 6.3.0) 2024-03-29 18:59:24 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.3.0 > 4.4.0) 2024-03-29 18:59:24 BuiltIn
Monitoring 58e891b9-ce13-4ac3-86e4-ac3e1f20cb07 Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.1.0 > 4.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring d5c37ce1-5f52-4523-b949-f19bf945b73a Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (2.1.0 > 2.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 94f686d6-9a24-4e19-91f1-de937dc171a4 Configure Windows Arc-enabled machines to run Azure Monitor Agent Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Azure Connected Machine Resource Administrator
change
Minor (2.3.0 > 2.4.0) 2024-03-25 19:17:21 BuiltIn
Monitoring ca817e41-e85a-4783-bc7f-dc532d36235e Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (4.3.0 > 4.4.0) 2024-03-25 19:17:21 BuiltIn
Monitoring ec621e21-8b48-403d-a549-fc9023d4747f Windows Arc-enabled machines should have Azure Monitor Agent installed Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (1.1.0 > 1.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring eab1f514-22e3-42e3-9a1f-e1dc9199355c Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.2.0 > 4.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 244efd75-0d92-453c-b9a3-7d73ca36ed52 Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.2.0 > 3.3.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 2ea82cdd-f2e8-4500-af75-67a2e084ca74 Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (6.1.0 > 6.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring c02729e5-e5e7-4458-97fa-2b5ad0661f28 Windows virtual machines should have Azure Monitor Agent installed Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-03-25 19:17:21 BuiltIn
DevCenter ece3c79b-2caf-470d-a5f5-66470c4fc649 [Preview]: Microsoft Dev Box Pools should not use Microsoft Hosted Networks. Disallows the use of Microsoft Hosted Networks when creating Pool resources. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-03-25 19:17:21 BuiltIn
Monitoring 050a90d5-7cce-483f-8f6c-0df462036dda Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (4.1.0 > 4.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 3672e6f7-a74d-4763-b138-fcf332042f8f Windows virtual machine scale sets should have Azure Monitor Agent installed Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
change
Minor (3.1.0 > 3.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 001
Virtual Machine Contributor
change
Minor (3.3.0 > 3.4.0) 2024-03-25 19:17:21 BuiltIn
Backup d6588149-9f06-462c-a076-56aece45b5ba [Preview]: Azure Backup Vaults should use customer-managed keys for encrypting backup data. Also an option to enforce Infra Encryption. This policy follows the 'effect' if Encryption Settings are enabled for Backup vaults in the scope. Additionally, option to check if Backup Vault also has Infrastructure Encryption enabled. Learn more at https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk. Please note that when 'Deny' effect is used, it would need you to enable Encryption Settings on the existing Backup Vaults in order to allow other update operations on the vault go through. Default
Audit
Allowed
Audit, Deny, Disabled
add
new Policy 2024-03-25 19:17:21 BuiltIn
Monitoring c24c537f-2516-4c2f-aac5-2cd26baa3d26 Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (2.1.0 > 2.2.0) 2024-03-25 19:17:21 BuiltIn
Monitoring 0a3b9bf4-d30e-424a-af6b-9a93f6f78792 Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Log Analytics Contributor
Monitoring Contributor
change
Minor (3.2.0 > 3.3.0) 2024-03-25 19:17:21 BuiltIn
Security Center 0fc39691-5a3f-4e3e-94ee-2e6447309ad9 [Deprecated]: Azure running container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (1.0.3 > 1.1.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Security Center 5f0f936f-2f01-4bf5-b6be-d423792fa562 [Deprecated]: Azure registry container images should have vulnerabilities resolved (powered by Qualys) As outlined in the unified vulnerability assessment solution strategy blog (https://aka.ms/MDCUnifiedVAblog), we have made a strategic decision to unify all vulnerability assessment solutions in Defender for Cloud to use Defender vulnerability management. As part of this change, the built-in Qualys offering is now retired. See https://aka.ms/TransitionToMDVM4Containers for more information and transition guidelines. Default
Disabled
Allowed
AuditIfNotExists, Disabled
change
Minor, new suffix: deprecated (2.0.2 > 2.1.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Kubernetes 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 [Preview]: Must Have Anti Affinity Rules Set This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest f8d398ae-0441-4921-a341-40f3973d4647 [Deprecated]: Azure Data Factory pipelines should only communicate with allowed domains. Versioning Test BuiltIn This is a test policy only for internal use by Policy team. To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy. Default
Disabled
Allowed
Deny, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Kubernetes 36a27de4-199b-40fb-b336-945a8475d6c5 Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Minor (2.0.4 > 2.1.0) 2024-03-15 22:15:34 BuiltIn
Kubernetes b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 [Preview]: Kubernetes cluster services should use unique selectors Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest 85793e88-5a58-4555-93fa-4df63c86ae9c [Deprecated]: Azure Machine Learning Model Registry Deployments are restricted except for the allowed Registry. Versioning Test BuiltIn. Only deploy Registry Models in the allowed Registry and that are not restricted. Default
Disabled
Allowed
Deny, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
General 78460a36-508a-49a4-b2b2-2f5ec564f4bb Do not allow deletion of resource types This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Default
DenyAction
Allowed
DenyAction, Disabled
change
Patch, old suffix: preview (1.0.0-preview > 1.0.1) 2024-03-15 22:15:34 BuiltIn
BuiltInPolicyTest 83a0809a-a4e3-4ef2-8a24-2afc156607af [Deprecated]: No AKS Specific Labels. Versioning Test BuiltIn. This is a test policy only for internal use by Policy team. Prevents customers from applying AKS specific labels Default
Disabled
Allowed
Audit, Deny, Disabled
change
Minor, suffix remains equal (2.1.0-deprecated > 2.2.0-deprecated) 2024-03-15 22:15:34 BuiltIn
Kubernetes 53a4a537-990c-495a-92e0-7c21a465442c [Preview]: Cannot Edit Individual Nodes Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes a22123bd-b9da-4c86-9424-24903e91fd55 [Preview]: No AKS Specific Labels Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Kubernetes 48940d92-ff05-449e-9111-e742d9280451 [Preview]: Reserved System Pool Taints Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. Default
Audit
Allowed
Audit, Deny, Disabled
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview) 2024-03-15 22:15:34 BuiltIn
Trusted Launch c95b54ad-0614-4633-ab29-104b01235cbf Virtual Machine should have TrustedLaunch enabled Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-03-11 18:31:50 BuiltIn
Azure Update Manager bd876905-5b84-4f73-ab2d-2e7a7c4568d9 Machines should be configured to periodically check for missing system updates To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (3.6.0 > 3.7.0) 2024-03-11 18:31:50 BuiltIn
Cache 766f5de3-c6c0-4327-9f4d-042ab8ae846c Configure Azure Cache for Redis to disable non SSL ports Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default
Modify
Allowed
Modify, Disabled
count: 001
Redis Cache Contributor
add
new Policy 2024-03-11 18:31:50 BuiltIn
Azure Ai Services 1b4d1c4e-934c-4703-944c-27c82c06bebb Diagnostic logs in Azure AI services resources should be enabled Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
add
new Policy 2024-03-11 18:31:50 BuiltIn
Azure Update Manager 59efceea-0c96-497e-a4a1-4eb2290dac15 Configure periodic checking for missing system updates on azure virtual machines Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. Fixed
modify
count: 001
Contributor
change
Minor (4.7.0 > 4.8.0) 2024-03-11 18:31:50 BuiltIn
Machine Learning e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f Azure Machine Learning Computes should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Audit
Allowed
Audit, Deny, Disabled
change
Minor (2.0.1 > 2.1.0) 2024-03-11 18:31:50 BuiltIn
Kubernetes a8eff44f-8c92-45c3-a3fb-9880802d67a7 Deploy Azure Policy Add-on to Azure Kubernetes Service clusters Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
count: 002
Azure Kubernetes Service Contributor Role
Azure Kubernetes Service Policy Add-on Deployment
change
Minor (4.0.1 > 4.1.0) 2024-03-11 18:31:50 BuiltIn
Trusted Launch b03bb370-5249-4ea4-9fce-2552e87e45fa Disks and OS image should support TrustedLaunch TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit https://aka.ms/trustedlaunch Default
Audit
Allowed
Audit, Disabled
add
new Policy 2024-03-11 18:31:50 BuiltIn
Machine Learning a6f9a2d0-cff7-4855-83ad-4cd750666512 Configure Azure Machine Learning Computes to disable local authentication methods Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default
Modify
Allowed
Modify, Disabled
count: 001