last sync: 2020-Dec-03 15:30:53 UTC

Changes on Azure Policy definitions

Category Id DisplayName Description Effect Roles used Details (UTC ymd) (i)
Tags61a4d60b-7326-440e-8051-9f94394d4dd1Add or replace a tag on subscriptionsAdds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation. Fixed: modifyTag Contributor
2020-11-17 14:39:37
add: 61a4d60b-7326-440e-8051-9f94394d4dd1
Synapse2d9dbfa3-927b-4cf0-9d0f-08747f971650Managed workspace virtual network on Azure Synapse workspaces should be enabledEnabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-17 14:39:37
add: 2d9dbfa3-927b-4cf0-9d0f-08747f971650
Synapsef7d52b2d-e161-4dfa-a82b-55e564167385Azure Synapse workspaces should use customer-managed keys to encrypt data at restUse customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-17 14:39:37
add: f7d52b2d-e161-4dfa-a82b-55e564167385
Synapse56fd377d-098c-4f02-8406-81eb055902b8IP firewall rules on Azure Synapse workspaces should be removedRemoving all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. Default: Audit
Allowed: (Audit, Disabled)
2020-11-17 14:39:37
add: 56fd377d-098c-4f02-8406-81eb055902b8
Tags96d9a89c-0d67-41fc-899d-2b9599f76a24Add a tag to subscriptionsAdds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation. Fixed: modifyTag Contributor
2020-11-17 14:39:37
add: 96d9a89c-0d67-41fc-899d-2b9599f76a24
Synapse72d11df1-dd8a-41f7-8925-b05b960ebafcPrivate endpoint connections on Azure Synapse workspaces should be enabledPrivate endpoints can be configured to connect privately to an Azure Synapse workspace. This is used to enforce a secure communication channel to Azure Synapse workspace. Default: Audit
Allowed: (Audit, Disabled)
2020-11-17 14:39:37
add: 72d11df1-dd8a-41f7-8925-b05b960ebafc
Security Center08e6af2d-db70-460a-bfe9-d5bd474ba9d6Adaptive Network Hardening recommendations should be applied on internet facing virtual machinesAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-11-17 14:39:37
change: Patch (2.0.0 > 2.0.1)
Security Centerfeedbf84-6b99-488c-acc2-71c829aa5ffcVulnerabilities on your SQL databases should be remediatedMonitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-11-10 16:00:42
change: Major (2.0.0 > 3.0.0)
Azure Data Explorerec068d99-e9c7-401f-8cef-5bdde4e6ccf1Double encryption should be enabled on Azure Data ExplorerEnabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
add: ec068d99-e9c7-401f-8cef-5bdde4e6ccf1
Synapse3a003702-13d2-4679-941b-937e58c443f0Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenantsProtect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment. Default: Audit
Allowed: (Audit, Disabled, Deny)
2020-11-10 16:00:42
add: 3a003702-13d2-4679-941b-937e58c443f0
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86[Preview]: Configure backup on VMs without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag Fixed: deployIfNotExistsVirtual Machine Contributor
Backup Contributor
2020-11-10 16:00:42
add: 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on VMs without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2020-11-10 16:00:42
change: Minor (1.0.0 > 1.1.0)
Monitoring053d3325-282c-4e5c-b944-24faffd30d77Deploy Log Analytics agent for Linux VMsDeploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-11-10 16:00:42
change: Major (1.2.0 > 2.0.0)
Azure Data Explorer9ad2fd1f-b25f-47a2-aa01-1a5a779e6413Virtual network injection should be enabled for Azure Data ExplorerSecure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
add: 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413
Security Center80e94a21-c6cd-4c95-a2c7-beb5704e61c0Deploy - Configure suppression rules for Azure Security Center alertsSuppress Azure Security Center alerts to reduce alerts fatigue by deploying suppression rules on your management group or subscription. Fixed: deployIfNotExistsSecurity Admin
2020-11-10 16:00:42
add: 80e94a21-c6cd-4c95-a2c7-beb5704e61c0
Storage4fa4b6c0-31ca-4c0d-b10d-24b96f62a751[Preview]: Storage account public access should be disallowedAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default: audit
Allowed: (audit, deny, disabled)
2020-11-10 16:00:42
change: Major, suffix remains equal (1.0.1-preview > 2.0.0-preview)
Azure Data Explorer81e74cea-30fd-40d5-802f-d72103c2aaaaAzure Data Explorer encryption at rest should use a customer-managed keyEnabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
add: 81e74cea-30fd-40d5-802f-d72103c2aaaa
Monitoring5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069Deploy Log Analytics agent for Linux virtual machine scale setsDeploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2020-11-10 16:00:42
change: Major (1.2.0 > 2.0.0)
Portal04c655fe-0ac7-48ae-9a32-3a2e208c7624Shared dashboards should not have markdown tiles with inline contentDisallow creating a shared dashboard that has inline content in markdown tiles and enforce that the content should be stored as a markdown file that's hosted online. If you use inline content in the markdown tile, you cannot manage encryption of the content. By configuring your own storage, you can encrypt, double encrypt and even bring your own keys. Enabling this policy restricts users to use 2020-09-01-preview or above version of shared dashboards REST API. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
add: 04c655fe-0ac7-48ae-9a32-3a2e208c7624
API for FHIR1ee56206-5dd1-42ab-b02d-8aae8b1634ceAzure API for FHIR should use private linkAzure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Default: Audit
Allowed: (Audit, Disabled)
2020-11-10 16:00:42
add: 1ee56206-5dd1-42ab-b02d-8aae8b1634ce
Stream Analytics87ba29ef-1ab3-4d82-b763-87fcd4f531f7Azure Stream Analytics jobs should use customer-managed keys to encrypt dataUse customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. Default: audit
Allowed: (audit, deny, disabled)
2020-11-10 16:00:42
add: 87ba29ef-1ab3-4d82-b763-87fcd4f531f7
App Configuration967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1App Configuration should use a customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
change: Minor (1.0.1 > 1.1.0)
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834e[Preview]: Configure backup on VMs with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag Fixed: deployIfNotExistsVirtual Machine Contributor
Backup Contributor
2020-11-10 16:00:42
add: 83644c87-93dd-49fe-bf9f-6aff8fd0834e
Azure Data Explorerf4b53539-8df9-40e4-86c6-6b607703bd4eDisk encryption should be enabled on Azure Data ExplorerEnabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
add: f4b53539-8df9-40e4-86c6-6b607703bd4e
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8[Preview]: Configure backup on VMs with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2020-11-10 16:00:42
add: 345fa903-145c-4fe1-8bcd-93ec2adccde8
Container Registry5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580Container registries should be encrypted with a customer-managed key (CMK)Audit or deny container registries that do not have encryption enabled with customer-managed keys (CMK). Azure automatically encrypts registry contents at rest with service-managed keys. You can supplement default encryption with an additional encryption layer using a key that you create and manage in Azure Key Vault. For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-27 14:12:45
change: Minor (1.0.0 > 1.1.0)
Monitoringc5447c04-a4d7-4ba8-a263-c9ee321a6858An activity log alert should exist for specific Policy operationsThis policy audits specific Policy operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-27 14:12:45
change: Major (2.0.0 > 3.0.0)
SQLa8793640-60f7-487c-b5c3-1d37215905c4SQL Managed Instance should have the minimal TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled)
2020-10-27 14:12:45
change: Patch (1.0.0 > 1.0.1)
Guest Configuration0447bc18-e2f7-4c0d-aa20-bff034275be1Audit Linux machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Fixed: auditIfNotExists
2020-10-27 14:12:45
change: Major (2.0.0 > 3.0.0)
SQL057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9Vulnerability Assessment settings for SQL server should contain an email address to receive scan reportsEnsure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-27 14:12:45
change: Major (1.0.0 > 2.0.0)
Machine Learningba769a63-b8cc-4b2d-abf6-ac33c7204be8Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)Evaluate Azure Machine Learning workspaces that do not have encryption enabled with customer-managed keys (CMK). Customer-managed keys add an additional layer of security for workspaces. For more information, visit https://aka.ms/azureml-workspaces-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-27 14:12:45
change: Patch (1.0.0 > 1.0.1)
SQL36d49e87-48c4-4f2e-beed-ba4ed02b71f5Deploy Threat Detection on SQL serversThis policy ensures that Threat Detection is enabled on SQL Servers. Fixed: DeployIfNotExistsSQL Security Manager
2020-10-27 14:12:45
change: Minor (1.0.0 > 1.1.0)
SQL32e6bbec-16b6-44c2-be37-c5b672d103cfAzure SQL Database should have the minimal TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled)
2020-10-27 14:12:45
change: Patch (1.0.0 > 1.0.1)
API for FHIR051cba44-2429-45b9-9649-46cec11c7119Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at restUse a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default: audit
Allowed: (audit, disabled)
2020-10-27 14:12:45
add: 051cba44-2429-45b9-9649-46cec11c7119
Guest Configurationd3b823c9-e0fc-4453-9fb2-8213b7338523Audit Linux machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Fixed: auditIfNotExists
2020-10-27 14:12:45
change: Major (2.0.0 > 3.0.0)
Key Vault1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dKey vault should have soft delete enabledDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidently deleted key vault for a configurable retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-23 13:31:09
add: 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d
Key Vault0b60c0b2-2dc2-4e1c-b5c9-abbed971de53Key vault should have purge protection enabledMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization may potentially be able to gain access to delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-23 13:31:09
change: Minor (1.0.0 > 1.1.0)
App Service74c3584d-afae-46f7-a20a-6f8adba71a16Ensure that 'Python version' is the latest, if used as a part of the API appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
SQL5e1de0e3-42cb-4ebc-a86d-61d0c619ca48Public network access should be disabled for PostgreSQL flexible serversDisabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-20 13:29:33
add: 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48
Kubernetesa8eff44f-8c92-45c3-a3fb-9880802d67a7Deploy Azure Policy Add-on to Azure Kubernetes Service clustersUse Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Fixed: deployIfNotExistsAzure Kubernetes Service Contributor Role
2020-10-20 13:29:33
add: a8eff44f-8c92-45c3-a3fb-9880802d67a7
App Servicee2c1c086-2d84-4019-bff3-c44ccd95113cEnsure that 'HTTP Version' is the latest, if used to run the Function appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service7008174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
SQLc9299215-ae47-4f50-9c54-8a392f68a052Public network access should be disabled for MySQL flexible serversDisabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-20 13:29:33
add: c9299215-ae47-4f50-9c54-8a392f68a052
App Service88999f4c-376a-45c8-bcb3-4058f713cf39Ensure that 'Java version' is the latest, if used as a part of the API appPeriodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bcEnsure that 'Java version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.1 > 2.0.0)
SQL24fba194-95d6-48c0-aea7-f65bf859c598Infrastructure encryption should be enabled for Azure Database for PostgreSQL serversEnable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-20 13:29:33
add: 24fba194-95d6-48c0-aea7-f65bf859c598
App Service7238174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service1bc1795e-d44a-4d48-9b3b-6fff0fd5f9baEnsure that 'PHP version' is the latest, if used as a part of the API appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service8c122334-9d20-4eb8-89ea-ac9a705b74aeEnsure that 'HTTP Version' is the latest, if used to run the Web appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.1.0 > 2.0.0)
App Service991310cd-e9f3-47bc-b7b6-f57b557d07dbEnsure that 'HTTP Version' is the latest, if used to run the API appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
SQL3a58212a-c829-4f13-9872-6371df2fd0b4Infrastructure encryption should be enabled for Azure Database for MySQL serversEnable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-20 13:29:33
add: 3a58212a-c829-4f13-9872-6371df2fd0b4
App Service7261b898-8a84-4db8-9e04-18527132abb3Ensure that 'PHP version' is the latest, if used as a part of the WEB appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service496223c3-ad65-4ecd-878a-bae78737e9edEnsure that 'Java version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
Key Vault587c79fe-dd04-4a5e-9d0b-f89598c7261b[Preview]: Keys should be backed by a hardware security module (HSM)An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 587c79fe-dd04-4a5e-9d0b-f89598c7261b
Key Vault75c4f823-d65c-4f29-a733-01d0077fdbcb[Preview]: Keys should be the specified cryptographic type RSA or ECSome applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 75c4f823-d65c-4f29-a733-01d0077fdbcb
Key Vaultc26e4b24-cf98-4c67-b48b-5a25c4c69eb9[Preview]: Keys should not be active for longer than the specified number of daysSpecify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: c26e4b24-cf98-4c67-b48b-5a25c4c69eb9
Key Vaultb0eb591a-5e70-4534-a8bf-04b9c489584a[Preview]: Secrets should have more than the specified number of days before expirationIf a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: b0eb591a-5e70-4534-a8bf-04b9c489584a
Key Vault49a22571-d204-4c91-a7b6-09b1a586fbc9[Preview]: Keys should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 49a22571-d204-4c91-a7b6-09b1a586fbc9
Key Vault5ff38825-c5d8-47c5-b70e-069a21955146[Preview]: Keys should have more than the specified number of days before expirationIf a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 5ff38825-c5d8-47c5-b70e-069a21955146
Key Vaulte8d99835-8a06-45ae-a8e0-87a91941ccfe[Preview]: Secrets should not be active for longer than the specified number of daysIf your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: e8d99835-8a06-45ae-a8e0-87a91941ccfe
Key Vault152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0[Preview]: Keys should have expiration dates setCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0
Key Vault98728c90-32c7-4049-8429-847dc0f4fe37[Preview]: Secrets should have expiration dates setIt is a recommended security practice to set expiration dates on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 98728c90-32c7-4049-8429-847dc0f4fe37
Key Vaultff25f3c8-b739-4538-9d07-3d6d25cfb255[Preview]: Keys using elliptic curve cryptography should have the specified curve namesKeys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: ff25f3c8-b739-4538-9d07-3d6d25cfb255
Key Vault342e8053-e12e-4c44-be01-c3c2f318400f[Preview]: Secrets should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 342e8053-e12e-4c44-be01-c3c2f318400f
Key Vault82067dbb-e53b-4e06-b631-546d197452d9[Preview]: Keys using RSA cryptography should have a specified minimum key sizeSet the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 82067dbb-e53b-4e06-b631-546d197452d9
Key Vault75262d3e-ba4a-4f43-85f8-9f72c090e5e3[Preview]: Secrets should have content type setA content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 75262d3e-ba4a-4f43-85f8-9f72c090e5e3
General6fdb9205-3462-4cfc-87d8-16c7860b53f4[Deprecated]: Allow resource creation only in Japan data centersAllows resource creation in the following locations only: Japan East, Japan Westn/an/a
2020-10-15 14:28:11
remove: 6fdb9205-3462-4cfc-87d8-16c7860b53f4 (i)
Generale01598e8-6538-41ed-95e8-8b29746cd697[Deprecated]: Allow resource creation only in Japan data centersAllows resource creation in the following locations only: Japan East, Japan Westn/an/a
2020-10-15 14:28:11
remove: e01598e8-6538-41ed-95e8-8b29746cd697 (i)
Lighthouse7a8a51a3-ad87-4def-96f3-65a1839242b6Allow managing tenant ids to onboard through Azure LighthouseRestricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. Fixed: deny
2020-10-13 13:23:36
change: Patch (1.0.0 > 1.0.1)
Storage4733ea7b-a883-42fe-8cac-97454c2a9e4aStorage accounts should have infrastructure encryptionEnable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-07 16:00:33
add: 4733ea7b-a883-42fe-8cac-97454c2a9e4a
Lighthouse7a8a51a3-ad87-4def-96f3-65a1839242b6Allow managing tenant ids to onboard through Azure LighthouseRestricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. Fixed: deny
2020-09-30 14:32:32
add: 7a8a51a3-ad87-4def-96f3-65a1839242b6
Guest Configurationcc7cda28-f867-4311-8497-a526129a8d19[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group does not contain only the specified members
Guest Configurationbed48b13-6647-468e-aa2f-1af1d3f4dd40Audit Windows machines on which Windows Defender Exploit Guard is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-16 13:09:49
change: Previous DisplayName: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Guest Configurationbde62c94-ccca-4821-a815-92c1d31a76de[Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group contains any of the specified members
Guest Configuration93507a81-10a4-4af0-9ee2-34cf25a96e98[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members
Kubernetes0a15ec92-a229-4763-bb14-0ea34a568f8d[Preview]: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clustersAzure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit, Disabled)
2020-09-16 13:09:49
change: Previous DisplayName: [Preview]: Kubernetes Management Policy add-on should be installed and enabled on your clusters
Guest Configuration5bb36dda-8a78-4df9-affd-4f05a8612a8a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified oneThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Audit Linux machines that are not using SSH key for authenticationRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-16 13:09:49
change: Previous DisplayName: Audit Linux virtual machines on which the use of passwords for SSH is allowed
Guest Configuration144f1397-32f9-4598-8c88-118decc3ccba[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members
Guest Configuration02a84be7-c304-421f-9bb7-5d2c26af54ad[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified oneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Guest Configurationb821191b-3a12-44bc-9c38-212138a29ff3[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members
Guest Configurationf3b44e5d-1456-475f-9c67-c66c4618e85a[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configuratione068b215-0026-4354-b347-8fb2766f73a2Windows machines should meet requirements for 'User Rights Assignment'Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'User Rights Assignment'
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsThis policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only run with approved user and group IDs
Guest Configurationcaf2d518-f029-4f6b-833b-d7081702f253Windows machines should meet requirements for 'Security Options - Microsoft Network Server'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Server'
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversThis policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pod FlexVolume volumes should only use allowed drivers
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes clusterThis policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster
Guest Configuration43bb60fe-1d7e-4b82-9e93-496bfc99e7d5Windows machines should meet requirements for 'System Audit Policies - Account Logon'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Account Logon'
Guest Configurationb4a4d1eb-0263-441b-84cb-a44073d8372dWindows machines should meet requirements for 'Security Options - Shutdown'Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Shutdown'
Guest Configurationf71be03e-e25b-4d0f-b8bc-9b3e309b66c0Windows machines should meet requirements for 'Security Options - Recovery console'Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Recovery console'
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesThis policy ensures pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods should only use allowed volume types
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypeThis policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed ProcMountType
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Do not allow privileged containers in Kubernetes clusterThis policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Do not allow privileged containers in Kubernetes cluster
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesThis policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should not use forbidden sysctl interfaces
Guest Configuration968410dc-5ca0-4518-8a5b-7b55f0530ea9Windows machines should meet requirements for 'Administrative Templates - System'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - System'
Guest Configurationd472d2c9-d6a3-4500-9f5f-b15f123005aaWindows machines should meet requirements for 'Security Options - Interactive Logon'Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Interactive Logon'
Guest Configuration8316fa92-d69c-4810-8124-62414f560dcfWindows machines should meet requirements for 'System Audit Policies - System'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - System'
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemThis policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should run with a read only root file system
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
Automanage270610db-8c04-438a-a739-e8e6745b22d3Enable Automanage - Azure virtual machine best practicesAutomanage enrolls, configures, and monitors virtual machines with Azure VM best practice services. Use this policy to apply Automanage to your selected scope. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
add: 270610db-8c04-438a-a739-e8e6745b22d3
Guest Configurationbed48b13-6647-468e-aa2f-1af1d3f4dd40Audit Windows machines on which Windows Defender Exploit Guard is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsThis policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pod hostPath volumes should only use allowed host paths
Guest Configuratione0a7e899-2ce2-4253-8a13-d808fdeb75afWindows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsThis policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only use allowed SELinux options
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Enforce labels on pods in Kubernetes clusterThis policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce labels on pods in Kubernetes cluster
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eEnforce internal load balancers in Kubernetes clusterThis policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce internal load balancers in Kubernetes cluster
Guest Configuration19be9779-c776-4dfa-8a15-a2fd5dc843d6Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'
Guest Configuration492a29ed-d143-4f03-b6a4-705ce081b463Windows machines should meet requirements for 'Security Options - User Account Control'Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - User Account Control'
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesThis policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed capabilities
Guest Configuration3ff60f98-7fa4-410a-9f7f-0b00f5afdbddWindows machines should meet requirements for 'Security Options - Network Access'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Access'
Guest Configuration8794ff4f-1a35-4e18-938f-0b22055067cdWindows machines should meet requirements for 'Security Options - Devices'Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Devices'
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Ensure only allowed container images in Kubernetes clusterThis policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure only allowed container images in Kubernetes cluster
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Audit Linux machines that are not using SSH key for authenticationRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Audit Linux virtual machines on which the use of passwords for SSH is allowed
Guest Configuration58383b73-94a9-4414-b382-4146eb02611bWindows machines should meet requirements for 'System Audit Policies - Detailed Tracking'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
Guest Configuration2a7a701e-dff3-4da9-9ec5-42cb98594c0bWindows machines should meet requirements for 'System Audit Policies - Policy Change'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Policy Change'
Guest Configurationd6c69680-54f0-4349-af10-94dd05f4225eWindows machines should meet requirements for 'Security Options - Microsoft Network Client'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Client'
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Ensure services listen only on allowed ports in Kubernetes clusterThis policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure services listen only on allowed ports in Kubernetes cluster
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
Guest Configuration33936777-f2ac-45aa-82ec-07958ec9ade4Windows machines should meet requirements for 'Security Options - Audit'Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Audit'
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationThis policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes clusters should not allow container privilege escalation
Guest Configuration1221c620-d201-468c-81e7-2817e6107e84Windows machines should meet requirements for 'Security Options - Network Security'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Security'
Guest Configuration94d9aca8-3757-46df-aa51-f218c5f11954Windows machines should meet requirements for 'System Audit Policies - Account Management'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Account Management'
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceThis policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should not share host process ID or host IPC namespace
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dEnforce HTTPS ingress in Kubernetes clusterThis policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce HTTPS ingress in Kubernetes cluster
Guest Configurationf2143251-70de-4e81-87a8-36cee5a2f29dWindows machines should meet requirements for 'Security Settings - Account Policies'Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Settings - Account Policies'
Guest Configuration35781875-8026-4628-b19b-f6efb4d88a1dWindows machines should meet requirements for 'System Audit Policies - Object Access'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Object Access'
Guest Configuration12017595-5a75-4bb1-9d97-4c2c939ea3c3Windows machines should meet requirements for 'Security Options - System settings'Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - System settings'
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesThis policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed seccomp profiles
Guest Configuration35d9882c-993d-44e6-87d2-db66ce21b636Windows machines should meet requirements for 'Windows Firewall Properties'Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Firewall Properties'
Guest Configuration6141c932-9384-44c6-a395-59e4c057d7c9Configure time zone on Windows machines.This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Configure time zone on Windows machines.
Guest Configurationee984370-154a-4ee8-9726-19d900e56fc0Windows machines should meet requirements for 'Security Options - Accounts'Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Accounts'
Guest Configuration67e010c1-640d-438e-a3a5-feaccb533a98Windows machines should meet requirements for 'Administrative Templates - Network'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Network'
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeThis policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods should only use approved host network and port range
Guest Configuration8537fe96-8cbe-43de-b0ef-131bc72bc22aWindows machines should meet requirements for 'Windows Components'Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Components'
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesThis policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed AppArmor profiles
Guest Configuration3aa2661b-02d7-4ba6-99bc-dc36b10489fdWindows machines should meet requirements for 'Administrative Templates - Control Panel'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Control Panel'
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcEnsure containers listen only on allowed ports in Kubernetes clusterThis policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure containers listen only on allowed ports in Kubernetes cluster
Guest Configuration87845465-c458-45f3-af66-dcd62176f397Windows machines should meet requirements for 'System Audit Policies - Privilege Use'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Privilege Use'
Guest Configuration2f262ace-812a-4fd0-b731-b38ba9e9708dWindows machines should meet requirements for 'Security Options - System objects'Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - System objects'
Guest Configurationf6ec09a3-78bf-4f8f-99dc-6c77182d0f99Audit Linux machines that have accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: f6ec09a3-78bf-4f8f-99dc-6c77182d0f99
Guest Configuration60ffe3e2-4604-4460-8f22-0f1da058266c[Deprecated]: Show audit results from Windows web servers that are not using secure communication protocolsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows web servers that are not using secure communication protocols
Guest Configurationc21f7060-c148-41cf-a68b-0ab3e14c764c[Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zoneThis policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone
Guest Configuration68511db2-bd02-41c4-ae6b-1900a012968a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expectedThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration5b842acb-0fe7-41b0-9f40-880ec4ad84d8[Deprecated]: Show audit results from Linux VMs that have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that have the specified applications installed
Guest Configuration315c850a-272d-4502-8935-b79010405970[Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domainThis policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain
Guest Configurationcc7cda28-f867-4311-8497-a526129a8d19[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuratione6ebf138-3d71-4935-a13b-9c7fdddd94dfAudit Windows machines on which the specified services are not installed and 'Running'Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: e6ebf138-3d71-4935-a13b-9c7fdddd94df
Guest Configurationc40c9087-1981-4e73-9f53-39743eda9d05[Deprecated]: Show audit results from Linux VMs that have accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that have accounts without passwords
Guest Configuration5aa11bbc-5c76-4302-80e5-aba46a4282e7[Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 dayThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have a minimum password age of 1 day
Guest Configurationbeb6ccee-b6b8-4e91-9801-a5fa4260a104Audit Windows machines that have not restarted within the specified number of daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: beb6ccee-b6b8-4e91-9801-a5fa4260a104
Guest Configurationfee5cb2b-9d9b-410e-afe3-2902d90d0004[Deprecated]: Show audit results from Linux VMs that do not have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that do not have the specified applications installed
Guest Configurationf0633351-c7b2-41ff-9981-508fc08553c2[Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installedThis policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that have the specified applications installed
Guest Configuration884b209a-963b-4520-8006-d20cb3c213e0[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installedThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that have the specified applications installed
Guest Configuration3d2a3320-2a72-4c67-ac5f-caa40fbee2b2Audit Windows machines that have extra accounts in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2
Guest Configuration144f1397-32f9-4598-8c88-118decc3ccba[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members
Guest Configuration4ceb8dc2-559c-478b-a15b-733fbf1e3738Audit Windows machines that do not have a maximum password age of 70 daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 4ceb8dc2-559c-478b-a15b-733fbf1e3738
Guest Configurationebb67efd-3c46-49b0-adfe-5599eb944998Audit Windows machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: ebb67efd-3c46-49b0-adfe-5599eb944998
Guest Configuration934345e1-4dfb-4c70-90d7-41990dc9608bAudit Windows machines that do not contain the specified certificates in Trusted RootRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 934345e1-4dfb-4c70-90d7-41990dc9608b
Guest Configurationd7ccd0ca-8d78-42af-a43d-6b7f928accbc[Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled
Guest Configuration5b054a0d-39e2-4d53-bea3-9734cad2c69bAudit Windows machines that allow re-use of the previous 24 passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 5b054a0d-39e2-4d53-bea3-9734cad2c69b
Guest Configuration0447bc18-e2f7-4c0d-aa20-bff034275be1Audit Linux machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 0447bc18-e2f7-4c0d-aa20-bff034275be1
Guest Configuration7e56b49b-5990-4159-a734-511ea19b731c[Deprecated]: Show audit results from Windows VMs that have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that have the specified applications installed
Security Center6646a0bd-e110-40ca-bb97-84fcee63c414Service principals should be used to protect your subscriptions instead of management certificatesManagement certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 6646a0bd-e110-40ca-bb97-84fcee63c414
Guest Configurationc2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a[Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the specified services are not installed and 'Running'
Guest Configurationb18175dd-c599-4c64-83ba-bb018a06d35b[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644
Guest Configurationf48b2913-1dc5-4834-8c72-ccc1dfd819bb[Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have the password complexity setting enabled
Guest Configuration1417908b-4bff-46ee-a2a6-4acc899320abAudit Windows machines that contain certificates expiring within the specified number of daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 1417908b-4bff-46ee-a2a6-4acc899320ab
Guest Configurationd38b4c26-9d2e-47d7-aefe-18d859a8706a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliantThis policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant
Guest Configuration356a906e-05e5-4625-8729-90771e0ee934[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days
Guest Configurationb821191b-3a12-44bc-9c38-212138a29ff3[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration2d60d3b7-aa10-454c-88a8-de39d99d17c6[Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryptionThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not store passwords using reversible encryption
Guest Configuration7a031c68-d6ab-406e-a506-697a19c634b0[Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabledThis policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled
Guest Configuration7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabledThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled
Guest Configurationa2d0e922-65d0-40c4-8f87-ea6da2d307a2Audit Windows machines that do not restrict the minimum password length to 14 charactersRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: a2d0e922-65d0-40c4-8f87-ea6da2d307a2
Guest Configuration726671ac-c4de-4908-8c7d-6043ae62e3b6[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwordsThis policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords
Guest Configuration32b1e4d4-6cd5-47b4-a935-169da8a5c262[Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'
Guest Configurationf4b245d4-46c9-42be-9b1a-49e2b5b94194[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days
Guest Configuration69bf4abd-ca1e-4cf6-8b5a-762d42e61d4fAudit Windows machines that have the specified members in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f
Guest Configuration23020aa6-1135-4be2-bae2-149982b06eca[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 charactersThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration9f658460-46b7-43af-8565-94fc0662be38[Deprecated]: Show audit results from Windows VMs that are not set to the specified time zoneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that are not set to the specified time zone
Key Vault5f0bc445-3935-4915-9981-011aa2b46147[Preview]: Private endpoint should be configured for Key VaultPrivate link provides a way to connect key vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Default: Audit
Allowed: (Audit, Disabled)
2020-09-09 11:24:03
add: 5f0bc445-3935-4915-9981-011aa2b46147
Guest Configuration5752e6d6-1206-46d8-8ab1-ecc2f71a8112Audit Windows web servers that are not using secure communication protocolsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 5752e6d6-1206-46d8-8ab1-ecc2f71a8112
Guest Configuration2d67222d-05fd-4526-a171-2ee132ad9e83[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that allow remote connections from accounts without passwords
Security Centerd62cfe2b-3ab0-4d41-980d-76803b58ca65Log Analytics agent health issues should be resolved on your machinesSecurity Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: d62cfe2b-3ab0-4d41-980d-76803b58ca65
Guest Configuration7227ebe5-9ff7-47ab-b823-171cd02fb90f[Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliantThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the DSC configuration is not compliant
Guest Configuration4d1c04de-2172-403f-901b-90608c35c721[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installedThis policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed
Guest Configuration5aebc8d1-020d-4037-89a0-02043a7524ec[Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 charactersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration5e393799-e3ca-4e43-a9a5-0ec4648a57d9[Deprecated]: Show audit results from Windows VMs that do not have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified applications installed
Guest Configuration3470477a-b35a-49db-aca5-1073d04524fe[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that have accounts without passwords
Guest Configurationd3b823c9-e0fc-4453-9fb2-8213b7338523Audit Linux machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: d3b823c9-e0fc-4453-9fb2-8213b7338523
Guest Configurationc96f3246-4382-4264-bf6b-af0b35e23c3c[Deprecated]: Deploy prerequisites to audit Windows VMs with a pending rebootThis policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs with a pending reboot
Guest Configurationb2fc8f91-866d-4434-9089-5ebfe38d6fd8[Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocolsThis policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols
Security Centera4fe33eb-e377-4efb-ab31-0784311bc499Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoringThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: a4fe33eb-e377-4efb-ab31-0784311bc499
Guest Configuration8b0de57a-f511-4d45-a277-17cb79cb163b[Deprecated]: Show audit results from Windows VMs with a pending rebootThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs with a pending reboot
Guest Configurationea53dbee-c6c9-4f0e-9f9e-de0039b78023Audit Linux machines that allow remote connections from accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: ea53dbee-c6c9-4f0e-9f9e-de0039b78023
Guest Configuration08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fdAudit Windows machines on which the DSC configuration is not compliantRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd
Guest Configuration7e84ba44-6d03-46fd-950e-5efa5a1112fa[Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that have not restarted within the specified number of days
Guest Configuration630ac30f-a234-4533-ac2d-e0df77acda51Audit Windows machines network connectivityRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 630ac30f-a234-4533-ac2d-e0df77acda51
SQLa9934fd7-29f2-4e6d-ab3d-607ea38e9079SQL Managed Instances should avoid using GRS backup redundancyManaged Instances should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. Default: Deny
Allowed: (Deny, Disabled)
2020-09-09 11:24:03
add: a9934fd7-29f2-4e6d-ab3d-607ea38e9079
Guest Configurationc5b85cba-6e6f-4de4-95e1-f0233cd712acAudit Windows machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: c5b85cba-6e6f-4de4-95e1-f0233cd712ac
Guest Configuration5bb36dda-8a78-4df9-affd-4f05a8612a8a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified oneThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration16390df4-2f73-4b42-af13-c801066763df[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 dayThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day
Guest Configurationcdbf72d9-ac9c-4026-8a3a-491a5ac59293[Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that allow re-use of the previous 24 passwords
Security Center5a913c68-0590-402c-a531-e57e19379da3Operating system version should be the most current version for your cloud service rolesKeeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 5a913c68-0590-402c-a531-e57e19379da3
Guest Configuration237b38db-ca4d-4259-9e47-7882441ca2c0Audit Windows machines that do not have a minimum password age of 1 dayRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 237b38db-ca4d-4259-9e47-7882441ca2c0
Managed Application9db7917b-1607-4e7d-a689-bca978dd0633Application definition for Managed Application should use customer provided storage accountUse your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. Default: audit
Allowed: (audit, deny, disabled)
2020-09-09 11:24:03
add: 9db7917b-1607-4e7d-a689-bca978dd0633
Guest Configurationbde62c94-ccca-4821-a815-92c1d31a76de[Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group contains any of the specified members
Guest Configurationda0f98fe-a24b-4ad5-af69-bd0400233661Audit Windows machines that do not store passwords using reversible encryptionRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: da0f98fe-a24b-4ad5-af69-bd0400233661
SQLb219b9cf-f672-4f96-9ab0-f5a3ac5e1c13SQL Database should avoid using GRS backup redundancyDatabases should avoid using GRS storage for backups if data residency rules require data to stay within a specific region. Default: Deny
Allowed: (Deny, Disabled)
2020-09-09 11:24:03
add: b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13
Guest Configurationa030a57e-4639-4e8f-ade9-a92f33afe7ee[Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expectedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration9328f27e-611e-44a7-a244-39109d7d35ab[Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that contain certificates expiring within the specified number of days
Guest Configurationa29ee95c-0395-4515-9851-cc04ffe82a91[Deprecated]: Show audit results from Windows VMs that are not joined to the specified domainThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that are not joined to the specified domain
Security Centera3a6ea0c-e018-4933-9ef0-5aaa1501449bLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoringSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: a3a6ea0c-e018-4933-9ef0-5aaa1501449b
Guest Configurationf3b44e5d-1456-475f-9c67-c66c4618e85a[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configuration24dde96d-f0b1-425e-884f-4a1421e2dcdc[Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have a maximum password age of 70 days
Guest Configuration02a84be7-c304-421f-9bb7-5d2c26af54ad[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified oneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Key Vault55615ac9-af46-4a59-874e-391cc3dfb490[Preview]: Firewall should be enabled on Key VaultThe key vault firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the key vault firewall to make sure that only traffic from allowed networks can access your key vault. Default: Audit
Allowed: (Audit, Disabled)
2020-09-09 11:24:03
add: 55615ac9-af46-4a59-874e-391cc3dfb490
Guest Configurationc633f6a2-7f8b-4d9e-9456-02f0f04f5505Audit Windows machines that are not set to the specified time zoneRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: c633f6a2-7f8b-4d9e-9456-02f0f04f5505
Guest Configuration4221adbc-5c0f-474f-88b7-037a99e6114cAudit Windows VMs with a pending rebootRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 4221adbc-5c0f-474f-88b7-037a99e6114c
Guest Configuration84662df4-0e37-44a6-9ce1-c9d2150db18cAudit Windows machines that are not joined to the specified domainRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 84662df4-0e37-44a6-9ce1-c9d2150db18c
Guest Configuration6265018c-d7e2-432f-a75d-094d5f6f4465Audit Windows machines on which the Log Analytics agent is not connected as expectedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 6265018c-d7e2-432f-a75d-094d5f6f4465
Guest Configuration12f7e5d0-42a7-4630-80d8-54fb7cff9bd6[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installedThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed
Guest Configuration8ff0b18b-262e-4512-857a-48ad0aeb9a78[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryptionThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption
Guest Configuration30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7Audit Windows machines missing any of specified members in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7
Guest Configurationec49586f-4939-402d-a29e-6ff502b20592[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords
Guest Configurationf19aa1c1-6b91-4c27-ae6a-970279f03db9[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644
Guest Configurationbf16e0bb-31e1-4646-8202-60a235cc7e74Audit Windows machines that do not have the password complexity setting enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: bf16e0bb-31e1-4646-8202-60a235cc7e74
Guest Configuratione6955644-301c-44b5-a4c4-528577de6861Audit Linux machines that do not have the passwd file permissions set to 0644Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: e6955644-301c-44b5-a4c4-528577de6861
Guest Configuration93507a81-10a4-4af0-9ee2-34cf25a96e98[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configurationf3b9ad83-000d-4dc1-bff0-6d54533dd03f[Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted RootThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configuration58c460e9-7573-4bb2-9676-339c2f2486bbAudit Windows machines on which Windows Serial Console is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 58c460e9-7573-4bb2-9676-339c2f2486bb
Guest Configuration106ccbe4-a791-4f33-a44a-06796944b8d5[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted RootThis policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configurationc5fbc59e-fb6f-494f-81e2-d99a671bdaa8[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days
App Service10c1859c-e1a7-4df3-ab97-a487fa8059f6[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function AppThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the Function App
Key Vaultcee51871-e572-4576-855c-047c820360f0[Preview]: Certificates using RSA cryptography should have the specified minimum key sizeManage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage minimum key size for RSA certificates
Key Vault1151cede-290b-4ba0-8b38-0ad145ac888f[Preview]: Certificates should use allowed key typesManage your organizational compliance requirements by restricting the key types allowed for certificates. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage allowed certificate key types
App Serviceab965db2-d2bf-4b64-8b39-c38ec8179461[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function appPHP cannot be used with Function apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that 'PHP version' is the latest, if used as a part of the Function app
App Service843664e0-7563-41ee-a9cb-7522c382d2c4[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web appThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the Web app
App Service86d97760-d216-4d81-a3ad-163087b2b6c3[Deprecated]: Ensure that Register with Azure Active Directory is enabled on API appThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on API app
Key Vaultbd78111f-4953-4367-9fd5-7e08808b54bf[Preview]: Certificates using elliptic curve cryptography should have allowed curve namesManage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage allowed curve names for elliptic curve cryptography certificates
Security Center501541f7-f7e7-4cd6-868c-4190fdad3ac9A vulnerability assessment solution should be enabled on your virtual machinesAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Vulnerability assessment should be enabled on virtual machines
Key Vaulta22f4a40-01d3-4c7d-8071-da157eeff341[Preview]: Certificates should be issued by the specified non-integrated certificate authorityManage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates issued by a non-integrated CA
Key Vault12ef42cb-9903-4e39-9c26-422d29570417[Preview]: Certificates should have the specified lifetime action triggersManage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificate lifetime action triggers
App Serviceaa81768c-cb87-4ce2-bfaa-00baa10d760c[Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB AppThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on WEB App
Key Vault0a075868-4c26-42ef-914c-5bc007359560[Preview]: Certificates should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificate validity period
Guest Configurationfc9b3da7-8347-4380-8e70-0a0361d8dedd[Preview]: Linux machines should meet requirements for the Azure security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines should meet the requirements for the Azure security baseline Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
add: fc9b3da7-8347-4380-8e70-0a0361d8dedd
App Servicec2e7ca55-f62c-49b2-89a4-d41eb661d2f0[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API appThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the API app
Cognitive Services67121cc7-ff39-4ab8-b7e3-95b84dab487dCognitive Services accounts should enable data encryption with customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys for data stored in Cognitive Services. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Cognitive Services accounts should enable data encryption with customer managed key
App Servicef0473e7a-a1ba-4e86-afb2-e829e11b01d8[Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function AppThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on Function App
Key Vault8e826246-c976-48f6-b03e-619bb92b3d82[Preview]: Certificates should be issued by the specified integrated certificate authorityManage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates issued by an integrated CA
Key Vaultf772fb64-8e40-40ad-87bc-7706e1949427[Preview]: Certificates should not expire within the specified number of daysManage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates that are within a specified number of days of expiration
Synapse84ce0900-69cd-4b5e-b676-0b5a66d027c9[Preview]: Resource type for Azure Synapse linked service should be in allowed listYou can define an allowed list of resource types for Azure Synapse linked service to restrict creation or update on a scope. With this policy in place you can have a better control over the boundary of data movement.n/an/a
2020-08-31 13:45:20
remove: 84ce0900-69cd-4b5e-b676-0b5a66d027c9 (i)
Guest Configuration3e4e2bd5-15a2-4628-b3e1-58977e9793f3Audit Windows machines that do not have the specified Windows PowerShell modules installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-27 15:39:26
add: 3e4e2bd5-15a2-4628-b3e1-58977e9793f3
84ce0900-69cd-4b5e-b676-0b5a66d027c9 Fixed:
2020-08-27 15:39:26
add: 84ce0900-69cd-4b5e-b676-0b5a66d027c9
Machine Learning40cec1dd-a100-4920-b15b-3024fe8901abAzure Machine Learning workspaces should use private linkEvaluate Azure Machine Learning workspaces that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/azureml-workspaces-privatelink. Default: Audit
Allowed: (Audit, Disabled)
2020-08-27 15:39:26
add: 40cec1dd-a100-4920-b15b-3024fe8901ab
Networkc251913d-7d24-4958-af87-478ed3b9ba41Flow log should be configured for every network security groupAudit for network security groups to verify if flow log resource is configured. Flow log allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Fixed: audit
2020-08-27 15:39:26
add: c251913d-7d24-4958-af87-478ed3b9ba41
Guest Configuration16f9b37c-4408-4c30-bc17-254958f2e2d6[Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-27 15:39:26
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed
Guest Configurationf8036bd0-c10b-4931-86bb-94a878add855[Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policyThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-27 15:39:26
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy
Guest Configuration90ba2ee7-4ca8-4673-84d1-c851c50d3baf[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installedThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-27 15:39:26
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed
Guest Configuratione0efc13a-122a-47c5-b817-2ccfe5d12615[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policyThis policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-27 15:39:26
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy
Network0db34a60-64f4-4bf6-bd44-f95c16cf34b9Deploy a flow log resource with target network security groupConfigures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Fixed: deployIfNotExistsContributor
2020-08-27 15:39:26
add: 0db34a60-64f4-4bf6-bd44-f95c16cf34b9
Guest Configurationc648fbbb-591c-4acd-b465-ce9b176ca173Audit Windows machines that do not have the specified Windows PowerShell execution policyRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-27 15:39:26
add: c648fbbb-591c-4acd-b465-ce9b176ca173
Storage4fa4b6c0-31ca-4c0d-b10d-24b96f62a751[Preview]: Storage account public access should be disallowedAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default: audit
Allowed: (audit, deny, disabled)
2020-08-27 15:39:26
add: 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751
Machine Learningba769a63-b8cc-4b2d-abf6-ac33c7204be8Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)Evaluate Azure Machine Learning workspaces that do not have encryption enabled with customer-managed keys (CMK). Customer-managed keys add an additional layer of security for workspaces. For more information, visit https://aka.ms/azureml-workspaces-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-08-27 15:39:26
add: ba769a63-b8cc-4b2d-abf6-ac33c7204be8
Guest Configurationb4a4d1eb-0263-441b-84cb-a44073d8372dWindows machines should meet requirements for 'Security Options - Shutdown'Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: b4a4d1eb-0263-441b-84cb-a44073d8372d
Guest Configuration12ae2d24-3805-4b37-9fa9-465968bfbcfa[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'
Guest Configuration6fe4ef56-7576-4dc4-8e9c-26bad4b087ce[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration1221c620-d201-468c-81e7-2817e6107e84Windows machines should meet requirements for 'Security Options - Network Security'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 1221c620-d201-468c-81e7-2817e6107e84
Guest Configurationf8b0158d-4766-490f-bea0-259e52dba473[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration0a9991e6-21be-49f9-8916-a06d934bcf29[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configurationbc87d811-4a9b-47cc-ae54-0a41abda7768[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration1f8c20ce-3414-4496-8b26-0e902a1541da[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configurationb872a447-cc6f-43b9-bccf-45703cd81607[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration620e58b5-ac75-49b4-993f-a9d4f0459636[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - System objects'
Guest Configurationee984370-154a-4ee8-9726-19d900e56fc0Windows machines should meet requirements for 'Security Options - Accounts'Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: ee984370-154a-4ee8-9726-19d900e56fc0
Guest Configurationc8abcef9-fc26-482f-b8db-5fa60ee4586d[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuratione068b215-0026-4354-b347-8fb2766f73a2Windows machines should meet requirements for 'User Rights Assignment'Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: e068b215-0026-4354-b347-8fb2766f73a2
Guest Configuration7229bd6a-693d-478a-87f0-1dc1af06f3b8[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration19be9779-c776-4dfa-8a15-a2fd5dc843d6Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 19be9779-c776-4dfa-8a15-a2fd5dc843d6
Guest Configurationd6c69680-54f0-4349-af10-94dd05f4225eWindows machines should meet requirements for 'Security Options - Microsoft Network Client'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: d6c69680-54f0-4349-af10-94dd05f4225e
Guest Configuration909c958d-1b99-4c74-b88f-46a5c5bc34f9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configurationf1f4825d-58fb-4257-8016-8c00e3c9ed9d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configurationdd4680ed-0559-4a6a-ad10-081d14cbb484[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configurationa9a33475-481d-4b81-9116-0bf02ffe67e8[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configurationc961dac9-5916-42e8-8fb1-703148323994[Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'User Rights Assignment'
Guest Configuration2f262ace-812a-4fd0-b731-b38ba9e9708dWindows machines should meet requirements for 'Security Options - System objects'Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 2f262ace-812a-4fd0-b731-b38ba9e9708d
Guest Configuration8794ff4f-1a35-4e18-938f-0b22055067cdWindows machines should meet requirements for 'Security Options - Devices'Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 8794ff4f-1a35-4e18-938f-0b22055067cd
Guest Configuration40917425-69db-4018-8dae-2a0556cef899[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration5c028d2a-1889-45f6-b821-31f42711ced8[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration67e010c1-640d-438e-a3a5-feaccb533a98Windows machines should meet requirements for 'Administrative Templates - Network'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 67e010c1-640d-438e-a3a5-feaccb533a98
Guest Configuration21e2995e-683e-497a-9e81-2f42ad07050a[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Audit'
Guest Configuration2a7a701e-dff3-4da9-9ec5-42cb98594c0bWindows machines should meet requirements for 'System Audit Policies - Policy Change'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 2a7a701e-dff3-4da9-9ec5-42cb98594c0b
Guest Configuration6481cc21-ed6e-4480-99dd-ea7c5222e897[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configuratione425e402-a050-45e5-b010-bd3f934589fc[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configurationec7ac234-2af5-4729-94d2-c557c071799d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configurationf71be03e-e25b-4d0f-b8bc-9b3e309b66c0Windows machines should meet requirements for 'Security Options - Recovery console'Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: f71be03e-e25b-4d0f-b8bc-9b3e309b66c0
Guest Configuration985285b7-b97a-419c-8d48-c88cc934c8d8[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration30040dab-4e75-4456-8273-14b8f75d91d9[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Network Access'
Guest Configuratione3a77a94-cf41-4ee8-b45c-98be28841c03[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration60aeaf73-a074-417a-905f-7ce9df0ff77b[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configurationd472d2c9-d6a3-4500-9f5f-b15f123005aaWindows machines should meet requirements for 'Security Options - Interactive Logon'Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: d472d2c9-d6a3-4500-9f5f-b15f123005aa
Guest Configurationce2370f6-0ac5-4d85-8ab4-10721cc640b0[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration87845465-c458-45f3-af66-dcd62176f397Windows machines should meet requirements for 'System Audit Policies - Privilege Use'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 87845465-c458-45f3-af66-dcd62176f397
Guest Configurationcaf2d518-f029-4f6b-833b-d7081702f253Windows machines should meet requirements for 'Security Options - Microsoft Network Server'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: caf2d518-f029-4f6b-833b-d7081702f253
Guest Configuration43bb60fe-1d7e-4b82-9e93-496bfc99e7d5Windows machines should meet requirements for 'System Audit Policies - Account Logon'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5
Guest Configurationddc0a4d5-5e08-43d5-9fd9-b586d8d7116b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration225e937e-d32e-4713-ab74-13ce95b3519a[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration8316fa92-d69c-4810-8124-62414f560dcfWindows machines should meet requirements for 'System Audit Policies - System'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 8316fa92-d69c-4810-8124-62414f560dcf
Guest Configuration58383b73-94a9-4414-b382-4146eb02611bWindows machines should meet requirements for 'System Audit Policies - Detailed Tracking'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 58383b73-94a9-4414-b382-4146eb02611b
Guest Configurationb3802d79-dd88-4bce-b81d-780218e48280[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configurationfcbc55c9-f25a-4e55-a6cb-33acb3be778b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configurationc1e289c0-ffad-475d-a924-adc058765d65[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration968410dc-5ca0-4518-8a5b-7b55f0530ea9Windows machines should meet requirements for 'Administrative Templates - System'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 968410dc-5ca0-4518-8a5b-7b55f0530ea9
Guest Configuration492a29ed-d143-4f03-b6a4-705ce081b463Windows machines should meet requirements for 'Security Options - User Account Control'Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 492a29ed-d143-4f03-b6a4-705ce081b463
Guest Configuration8a39d1f1-5513-4628-b261-f469a5a3341b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - System settings'
Guest Configuration36e17963-7202-494a-80c3-f508211c826b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration9178b430-2295-406e-bb28-f6a7a2a2f897[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Windows Components'
Guest Configuration7040a231-fb65-4412-8c0a-b365f4866c24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'
Guest Configuration35781875-8026-4628-b19b-f6efb4d88a1dWindows machines should meet requirements for 'System Audit Policies - Object Access'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 35781875-8026-4628-b19b-f6efb4d88a1d
Guest Configuration3aa2661b-02d7-4ba6-99bc-dc36b10489fdWindows machines should meet requirements for 'Administrative Templates - Control Panel'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 3aa2661b-02d7-4ba6-99bc-dc36b10489fd
Guest Configuration7066131b-61a6-4917-a7e4-72e8983f0aa6[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration87b590fe-4a1d-4697-ae74-d4fe72ab786c[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration3ff60f98-7fa4-410a-9f7f-0b00f5afdbddWindows machines should meet requirements for 'Security Options - Network Access'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd
Guest Configuration29829ec2-489d-4925-81b7-bda06b1718e0[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuratione0a7e899-2ce2-4253-8a13-d808fdeb75afWindows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: e0a7e899-2ce2-4253-8a13-d808fdeb75af
Guest Configuration498b810c-59cd-4222-9338-352ba146ccf3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'
Guest Configuration8bbd627e-4d25-4906-9a6e-3789780af3ec[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuration3d7b154e-2700-4c8c-9e46-cb65ac1578c2[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Devices'
Guest Configuratione5b81f87-9185-4224-bf00-9f505e9f89f3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration42a07bbf-ffcf-459a-b4b1-30ecd118a505[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configurationddb53c61-9db4-41d4-a953-2abff5b66c12[Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration97646672-5efa-4622-9b54-740270ad60bf[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configurationc04255ee-1b9f-42c1-abaa-bf1553f79930[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configurationbbcdd8fa-b600-4ee3-85b8-d184e3339652[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration94d9aca8-3757-46df-aa51-f218c5f11954Windows machines should meet requirements for 'System Audit Policies - Account Management'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 94d9aca8-3757-46df-aa51-f218c5f11954
Guest Configurationa1e8dda3-9fd2-4835-aec3-0e55531fde33[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration33936777-f2ac-45aa-82ec-07958ec9ade4Windows machines should meet requirements for 'Security Options - Audit'Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 33936777-f2ac-45aa-82ec-07958ec9ade4
Guest Configurationf2143251-70de-4e81-87a8-36cee5a2f29dWindows machines should meet requirements for 'Security Settings - Account Policies'Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: f2143251-70de-4e81-87a8-36cee5a2f29d
Guest Configuration815dcc9f-6662-43f2-9a03-1b83e9876f24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'
Guest Configuration97b595c8-fd10-400e-8543-28e2b9138b13[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration3750712b-43d0-478e-9966-d2c26f6141b9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration12017595-5a75-4bb1-9d97-4c2c939ea3c3Windows machines should meet requirements for 'Security Options - System settings'Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 12017595-5a75-4bb1-9d97-4c2c939ea3c3
Guest Configuration437a1f8f-8552-47a8-8b12-a2fee3269dd5[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'
Guest Configuratione3d95ab7-f47a-49d8-a347-784177b6c94c[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration8537fe96-8cbe-43de-b0ef-131bc72bc22aWindows machines should meet requirements for 'Windows Components'Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 8537fe96-8cbe-43de-b0ef-131bc72bc22a
Guest Configuration86880e5c-df35-43c5-95ad-7e120635775e[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration8e170edb-e0f5-497a-bb36-48b3280cec6a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration35d9882c-993d-44e6-87d2-db66ce21b636Windows machines should meet requirements for 'Windows Firewall Properties'Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 35d9882c-993d-44e6-87d2-db66ce21b636
Guest Configurationf56a3ab2-89d1-44de-ac0d-2ada5962e22a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configurationba12366f-f9a6-42b8-9d98-157d0b1a837b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'
Security Centerac4a19c2-fa67-49b4-8ae5-0b2e78c49457Role-Based Access Control (RBAC) should be used on Kubernetes ServicesTo provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default: Audit
Allowed: (Audit, Disabled)
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services
App Platformaf35e2a4-ef96-44e7-a9ae-853dd97032c4Azure Spring Cloud should use network injectionAzure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default: Audit
Allowed: (Audit, Disabled, Deny)
2020-08-19 13:49:29
add: af35e2a4-ef96-44e7-a9ae-853dd97032c4
Security Centerfb893a29-21bb-418c-a157-e99480ec364cKubernetes Services should be upgraded to a non-vulnerable Kubernetes versionUpgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Default: Audit
Allowed: (Audit, Disabled)
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
Security Center0e246bcf-5f6f-4f87-bc6f-775d4712c7eaAuthorized IP ranges should be defined on Kubernetes ServicesRestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Default: Audit
Allowed: (Audit, Disabled)
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Authorized IP ranges should be defined on Kubernetes Services
Security Center5f0f936f-2f01-4bf5-b6be-d423792fa562Vulnerabilities in Azure Container Registry images should be remediatedContainer image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-19 13:49:29
add: 5f0f936f-2f01-4bf5-b6be-d423792fa562
Storage6fac406b-40ca-413b-bf8e-0bf964659c25Storage account should use customer-managed key for encryptionSecure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Disabled)
2020-08-18 14:06:57
add: 6fac406b-40ca-413b-bf8e-0bf964659c25
Storage6edd7eda-6dd8-40f7-810d-67160c639cd9Storage account should use a private link connectionPrivate links enforce secure communication, by providing private connectivity to the storage account Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-18 14:06:57
add: 6edd7eda-6dd8-40f7-810d-67160c639cd9
Storage2a1a9cdf-e04d-429a-8416-3bfb72a1b26fStorage accounts should restrict network access using virtual network rulesProtect your storage accounts from potential threats using virtual network rules as a preferred method to IP-based filtering. Disallowing IP-based filtering prevents public IPs from accessing your storage accounts. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-08-18 14:06:57
add: 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f
SQL3965c43d-b5f4-482e-b74a-d89ee0e0b3a8[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alertsEnsure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux virtual machines
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity
SQLaeb23562-188d-47cb-80b8-551f16ef9fff[Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings
SQLc8343d2f-fdc9-4a97-b76f-fc71d1163bfc[Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings
App Configuration967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1App Configuration should use a customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-08-05 13:05:29
change: Previous DisplayName: App Configuration should use a customer managed key
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows virtual machines
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-07-17 15:57:10
add: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-07-17 15:57:10
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-07-17 15:57:10
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-07-17 15:57:10
add: 497dff13-db2a-4c0f-8603-28fa3b331ab6
Security Center6581d072-105e-4418-827f-bd446d56421bAzure Defender for SQL servers on machines should be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced data security should be enabled on SQL Server on Virtual Machines
SQL32e6bbec-16b6-44c2-be37-c5b672d103cfAzure SQL Database should have the minimal TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled)
2020-07-14 15:28:17
add: 32e6bbec-16b6-44c2-be37-c5b672d103cf
Security Center47a6b606-51aa-4496-8bb7-64b11cf66adcAdaptive application controls for defining safe applications should be enabled on your machinesEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Adaptive application controls for whitelisting safe applications should be enabled on your machines
Security Center501541f7-f7e7-4cd6-868c-4190fdad3ac9A vulnerability assessment solution should be enabled on your virtual machinesAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: [Preview] Vulnerability Assessment should be enabled on Virtual Machines
Security Centerc25d9a16-bc35-4e15-a7e5-9db606bf9ed4Azure Defender for container registries should be enabledAzure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Azure Container Registry
Security Center523b5cd1-3e23-492f-a539-13118b6d1e3aAzure Defender for Kubernetes should be enabledAzure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Azure Kubernetes Service
Security Center0e6763cc-5078-4e64-889d-ff4d9a839047Azure Defender for Key Vault should be enabledAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Key Vault
Security Center123a3936-f020-408a-ba0c-47873faf1534Allowlist rules in your adaptive application control policy should be updatedMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Whitelisting rules in your adaptive application control policy should be updated
SQLa8793640-60f7-487c-b5c3-1d37215905c4SQL Managed Instance should have the minimal TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled)
2020-07-14 15:28:17
add: a8793640-60f7-487c-b5c3-1d37215905c4
Security Center308fbb08-4ab8-4e67-9b29-592e93fb94faAzure Defender for Storage should be enabledAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Storage accounts
Security Center2913021d-f2fd-4f3d-b958-22354e2bdbcbAzure Defender for App Service should be enabledAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on App Service
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesThis policy ensures pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 16697877-1118-4fb1-9b65-9898ec2509ec
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesThis policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 975ce327-682c-4f2e-aa46-b9598289b86c
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypeThis policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: f85eb0dd-92ee-40e9-8a76-db25a507d6d3
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsThis policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 098fc59e-46c7-4d99-9b16-64990e543d75
Network055aa869-bc98-4af8-bafc-23f1ab6ffe2cWeb Application Firewall (WAF) should be enabled for Azure Front Door ServiceRequires Web Application Firewall (WAF) on any Azure Front Door Service. A Web Application Firewall provides greater security for your other Azure resources. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
add: 055aa869-bc98-4af8-bafc-23f1ab6ffe2c
Networkbe7ed5c8-2660-4136-8216-e6f3412ba909[Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application GatewayRequires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Deny
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
change: Previous DisplayName: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceThis policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemThis policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: df49d893-a74c-421d-bc95-c663042e5b80
Network564feb30-bf6a-4854-b4bb-0d2d2d1e6c66Web Application Firewall (WAF) should be enabled for Application GatewayRequires Web Application Firewall (WAF) on any Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
add: 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66
Networkf6b68e5a-7207-4638-a1fb-47d90404209e[Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door ServiceMandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. Default: Deny
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
change: Previous DisplayName: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsThis policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: f06ddb64-5fa3-4b77-b166-acb36f7f6042
Network12430be1-6cc8-4527-a9a8-e3d38f250096Web Application Firewall (WAF) should use the specified mode for Application GatewayMandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
add: 12430be1-6cc8-4527-a9a8-e3d38f250096
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesThis policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 56d0a13f-712f-466b-8416-56fb354fb823
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversThis policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: f4a8fce0-2dd5-4c21-9a36-8f0ec809d663
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesThis policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: c26596ff-4d70-4e6a-9a30-c2506bd2f80c
Network425bea59-a659-4cbb-8d31-34499bd030b8Web Application Firewall (WAF) should use the specified mode for Azure Front Door ServiceMandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
add: 425bea59-a659-4cbb-8d31-34499bd030b8
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsThis policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: e1e6c427-07d9-46ab-9689-bfa85431e636
SQL7698e800-9299-47a6-b3b6-5a0fee576eedPrivate endpoint connections on Azure SQL Database should be enabledPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Fixed: audit
2020-07-08 14:28:08
change: Previous DisplayName: Azure SQL Databases should have private endpoint connections
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeThis policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 82985f06-dc18-4a48-bc1c-b9f4f0098cfe
SQL77e8b146-0078-4fb2-b002-e112381199f0Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnetVirtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. Fixed: AuditIfNotExists
2020-07-08 14:28:08
add: 77e8b146-0078-4fb2-b002-e112381199f0
SQL1b8ca024-1d5c-4dec-8995-b1a932b41780Public network access on Azure SQL Database should be disabledDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Fixed: audit
2020-07-08 14:28:08
change: Previous DisplayName: Audit public network access setting for Azure SQL Database
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesThis policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 511f5417-5d12-434d-ab2e-816901e72a5e
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationThis policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99
SQLaeb23562-188d-47cb-80b8-551f16ef9fff[Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings
SignalR53503636-bcc9-4748-9663-5348217f160fAzure SignalR Service should use private linksAudit Azure SignalR Service resources that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: [Preview]: Azure SignalR Service should use private links
SQL3965c43d-b5f4-482e-b74a-d89ee0e0b3a8[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alertsEnsure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Advanced data security settings for SQL managed instance should contain an email address to receive security alerts
SQLbda18df3-5e41-4709-add9-2554ce68c966[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settingsIt's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL managed instance Advanced Data Security settings
SQL7698e800-9299-47a6-b3b6-5a0fee576eedPrivate endpoint connections on Azure SQL Database should be enabledPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Fixed: audit
2020-07-01 14:50:07
add: 7698e800-9299-47a6-b3b6-5a0fee576eed
SQLe756b945-1b1b-480b-8de8-9a0859d5f7ad[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settingsIt is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings
SQL9677b740-f641-4f3c-b9c5-466005c85278[Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alertsEnsure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Advanced data security settings for SQL server should contain an email address to receive security alerts
SQLc8343d2f-fdc9-4a97-b76f-fc71d1163bfc[Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings
VM Image Builder2154edb9-244f-4741-9970-660785bccdaaVM Image Builder templates should use private linkAudit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may expose resources directly to the internet and increase the potential attack surface. Default: Audit
Allowed: (Audit, Disabled)
2020-07-01 14:50:07
add: 2154edb9-244f-4741-9970-660785bccdaa
SQL1b8ca024-1d5c-4dec-8995-b1a932b41780Public network access on Azure SQL Database should be disabledDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Fixed: audit
2020-07-01 14:50:07
add: 1b8ca024-1d5c-4dec-8995-b1a932b41780
Guest Configuration5fc23db3-dd4d-4c56-bcc7-43626243e601Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabledThis policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-30 14:58:19
change: Previous DisplayName: Audit prerequisites to enable Guest Configuration policies on Windows VMs.
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6[Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.n/an/a
2020-06-29 05:46:45
remove: 497dff13-db2a-4c0f-8603-28fa3b331ab6 (i)
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-29 05:46:45
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7e[Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.n/an/a
2020-06-29 05:46:45
remove: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e (i)
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-29 05:46:45
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-06-23 16:03:25
add: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e
Security Center308fbb08-4ab8-4e67-9b29-592e93fb94faAzure Defender for Storage should be enabledAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 308fbb08-4ab8-4e67-9b29-592e93fb94fa
Security Center0e6763cc-5078-4e64-889d-ff4d9a839047Azure Defender for Key Vault should be enabledAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 0e6763cc-5078-4e64-889d-ff4d9a839047
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-06-23 16:03:25
add: 497dff13-db2a-4c0f-8603-28fa3b331ab6
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
add: 331e8ea8-378a-410f-a2e5-ae22f38bb0da
Kubernetes0a15ec92-a229-4763-bb14-0ea34a568f8d[Preview]: Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clustersAzure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit, Disabled)
2020-06-23 16:03:25
add: 0a15ec92-a229-4763-bb14-0ea34a568f8d
Security Center523b5cd1-3e23-492f-a539-13118b6d1e3aAzure Defender for Kubernetes should be enabledAzure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 523b5cd1-3e23-492f-a539-13118b6d1e3a
Security Center6581d072-105e-4418-827f-bd446d56421bAzure Defender for SQL servers on machines should be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 6581d072-105e-4418-827f-bd446d56421b
Security Centerc25d9a16-bc35-4e15-a7e5-9db606bf9ed4Azure Defender for container registries should be enabledAzure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: c25d9a16-bc35-4e15-a7e5-9db606bf9ed4
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Guest Configurationfaf25c8c-9598-4305-b4de-0aee1317fb31Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabledThis policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: faf25c8c-9598-4305-b4de-0aee1317fb31
Cosmos DB1f905d99-2ab7-462c-a6b0-f709acca6c8fAzure Cosmos DB account should use customer-managed keys to encrypt data at restUse customer-managed keys to control the encryption at rest of the data stored in Azure Cosmos DB when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. See https://aka.ms/cosmosdb-cmk Default: audit
Allowed: (audit, deny, disabled)
2020-06-23 16:03:25
add: 1f905d99-2ab7-462c-a6b0-f709acca6c8f
Machine Learning6a6f7384-63de-11ea-bc55-0242ac130003[Preview]: Configure code signing for training code for specified Azure Machine Learning computesThis policy helps provide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-06-23 16:03:25
add: 6a6f7384-63de-11ea-bc55-0242ac130003
API for FHIR0fea8f8a-4169-495d-8307-30ec335f387dCORS should not allow every domain to access your API for FHIRCross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. Default: audit
Allowed: (audit, disabled)
2020-06-23 16:03:25
add: 0fea8f8a-4169-495d-8307-30ec335f387d
Security Center7fe3b40f-802b-4cdd-8bd4-fd799c948cc2Azure Defender for Azure SQL Database servers should be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2
Security Center2913021d-f2fd-4f3d-b958-22354e2bdbcbAzure Defender for App Service should be enabledAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 2913021d-f2fd-4f3d-b958-22354e2bdbcb
Cosmos DB862e97cf-49fc-4a5c-9de4-40d4e2e7c8ebAzure Cosmos DB accounts should have firewall rulesAudit or deny resources that do not have any IP rules configured and allow all networks by default. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default: Deny
Allowed: (Audit, Deny, Disabled)
2020-06-23 16:03:25
add: 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
add: 385f5831-96d4-41db-9a3c-cd3af78aaae6
Security Center4da35fc9-c9e7-4960-aec9-797fe7d9051dAzure Defender for servers should be enabledAzure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 4da35fc9-c9e7-4960-aec9-797fe7d9051d
Monitoring4da21710-ce6f-4e06-8cdb-5cc4c93ffbeeDeploy Dependency agent for Linux virtual machinesDeploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-06-22 16:06:25
change: Previous DisplayName: Deploy Dependency agent for Linux VMs
Monitoring1c210e94-a481-4beb-95fa-1571b434fb04Deploy Dependency agent for Windows virtual machinesDeploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExistsLog Analytics Contributor
2020-06-22 16:06:25
change: Previous DisplayName: Deploy Dependency agent for Windows VMs
Networkf6b68e5a-7207-4638-a1fb-47d90404209e[Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door ServiceMandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. Default: Deny
Allowed: (Audit, Deny, Disabled)
2020-06-11 19:46:04
add: f6b68e5a-7207-4638-a1fb-47d90404209e
Networkbe7ed5c8-2660-4136-8216-e6f3412ba909[Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application GatewayRequires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Deny
Allowed: (Audit, Deny, Disabled)
2020-06-11 19:46:04
add: be7ed5c8-2660-4136-8216-e6f3412ba909
SignalR53503636-bcc9-4748-9663-5348217f160fAzure SignalR Service should use private linksAudit Azure SignalR Service resources that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit, Disabled)
2020-06-09 16:25:53
add: 53503636-bcc9-4748-9663-5348217f160f
Guest Configurationdd4680ed-0559-4a6a-ad10-081d14cbb484[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration02a84be7-c304-421f-9bb7-5d2c26af54ad[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified oneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration5aebc8d1-020d-4037-89a0-02043a7524ec[Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 charactersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configurationbc87d811-4a9b-47cc-ae54-0a41abda7768[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration7229bd6a-693d-478a-87f0-1dc1af06f3b8[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'
Guest Configurationc8abcef9-fc26-482f-b8db-5fa60ee4586d[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration5aa11bbc-5c76-4302-80e5-aba46a4282e7[Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 dayThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day
Guest Configurationec49586f-4939-402d-a29e-6ff502b20592[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords
Guest Configuration106ccbe4-a791-4f33-a44a-06796944b8d5[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted RootThis policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configurationa030a57e-4639-4e8f-ade9-a92f33afe7ee[Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expectedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration8ff0b18b-262e-4512-857a-48ad0aeb9a78[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryptionThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption
Guest Configuration36e17963-7202-494a-80c3-f508211c826b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration24dde96d-f0b1-425e-884f-4a1421e2dcdc[Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days
Guest Configurationf48b2913-1dc5-4834-8c72-ccc1dfd819bb[Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled
Guest Configuration7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configurationec7ac234-2af5-4729-94d2-c557c071799d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration909c958d-1b99-4c74-b88f-46a5c5bc34f9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configurationddc0a4d5-5e08-43d5-9fd9-b586d8d7116b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration12ae2d24-3805-4b37-9fa9-465968bfbcfa[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'
Guest Configurationb872a447-cc6f-43b9-bccf-45703cd81607[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'
Guest Configurationf8b0158d-4766-490f-bea0-259e52dba473[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration5c028d2a-1889-45f6-b821-31f42711ced8[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration0a9991e6-21be-49f9-8916-a06d934bcf29[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration3750712b-43d0-478e-9966-d2c26f6141b9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configurationc04255ee-1b9f-42c1-abaa-bf1553f79930[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configuration1f8c20ce-3414-4496-8b26-0e902a1541da[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configurationddb53c61-9db4-41d4-a953-2abff5b66c12[Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configurationb3802d79-dd88-4bce-b81d-780218e48280[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configurationce2370f6-0ac5-4d85-8ab4-10721cc640b0[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Cognitive Services46aa9b05-0e60-4eae-a88b-1e9d374fa515Cognitive Services accounts should use customer owned storageThis policy audits any Cognitive Services account not using customer owned storage. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 46aa9b05-0e60-4eae-a88b-1e9d374fa515
Guest Configuration356a906e-05e5-4625-8729-90771e0ee934[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days
Cognitive Services11566b39-f7f7-4b82-ab06-68d8700eb0a4Cognitive Services accounts should use customer owned storage or enable data encryption.This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 11566b39-f7f7-4b82-ab06-68d8700eb0a4
Guest Configuration9178b430-2295-406e-bb28-f6a7a2a2f897[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Components'
Guest Configurationba12366f-f9a6-42b8-9d98-157d0b1a837b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuratione5b81f87-9185-4224-bf00-9f505e9f89f3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration8a39d1f1-5513-4628-b261-f469a5a3341b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System settings'
Guest Configuration7066131b-61a6-4917-a7e4-72e8983f0aa6[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'
Guest Configurationb18175dd-c599-4c64-83ba-bb018a06d35b[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration225e937e-d32e-4713-ab74-13ce95b3519a[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration498b810c-59cd-4222-9338-352ba146ccf3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'
Guest Configurationf4b245d4-46c9-42be-9b1a-49e2b5b94194[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days
Guest Configuration42a07bbf-ffcf-459a-b4b1-30ecd118a505[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configurationc40c9087-1981-4e73-9f53-39743eda9d05[Deprecated]: Show audit results from Linux VMs that have accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that have accounts without passwords
Guest Configurationa9a33475-481d-4b81-9116-0bf02ffe67e8[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration97646672-5efa-4622-9b54-740270ad60bf[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configuration23020aa6-1135-4be2-bae2-149982b06eca[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 charactersThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration5bb36dda-8a78-4df9-affd-4f05a8612a8a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified oneThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration7227ebe5-9ff7-47ab-b823-171cd02fb90f[Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliantThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant
Guest Configurationf1f4825d-58fb-4257-8016-8c00e3c9ed9d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Cognitive Services2bdd0062-9d75-436e-89df-487dd8e4b3c7Cognitive Services accounts should enable data encryptionThis policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 2bdd0062-9d75-436e-89df-487dd8e4b3c7
Guest Configuration40917425-69db-4018-8dae-2a0556cef899[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'
Guest Configurationf19aa1c1-6b91-4c27-ae6a-970279f03db9[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration7e84ba44-6d03-46fd-950e-5efa5a1112fa[Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days
Guest Configuration21e2995e-683e-497a-9e81-2f42ad07050a[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Audit'
Guest Configurationc961dac9-5916-42e8-8fb1-703148323994[Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'User Rights Assignment'
Security Centerbb91dfba-c30d-4263-9add-9c2384e659a6Non-internet-facing virtual machines should be protected with network security groupsProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-09 16:25:53
add: bb91dfba-c30d-4263-9add-9c2384e659a6
Kubernetes1d61c4d2-aef2-432b-87fc-7f96b019b7e1[Preview]: Deploy GitOps to Kubernetes clusterThis policy deploys a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth from the defined git repo. For instructions on using this policy, visit https://aka.ms/K8sGitOpsPolicy. Fixed: DeployIfNotExistsContributor
2020-06-09 16:25:53
add: 1d61c4d2-aef2-432b-87fc-7f96b019b7e1
Guest Configuration8bbd627e-4d25-4906-9a6e-3789780af3ec[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuration3d7b154e-2700-4c8c-9e46-cb65ac1578c2[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Devices'
Guest Configuration16390df4-2f73-4b42-af13-c801066763df[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 dayThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day
Guest Configurationcdbf72d9-ac9c-4026-8a3a-491a5ac59293[Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords
Guest Configuration6481cc21-ed6e-4480-99dd-ea7c5222e897[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configurationf3b9ad83-000d-4dc1-bff0-6d54533dd03f[Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted RootThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configurationc1e289c0-ffad-475d-a924-adc058765d65[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configurationbbcdd8fa-b600-4ee3-85b8-d184e3339652[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configurationa1e8dda3-9fd2-4835-aec3-0e55531fde33[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration620e58b5-ac75-49b4-993f-a9d4f0459636[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System objects'
Guest Configuration2d67222d-05fd-4526-a171-2ee132ad9e83[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords
Guest Configuration68511db2-bd02-41c4-ae6b-1900a012968a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expectedThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration726671ac-c4de-4908-8c7d-6043ae62e3b6[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwordsThis policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords
Guest Configurationc5fbc59e-fb6f-494f-81e2-d99a671bdaa8[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days
Guest Configuration815dcc9f-6662-43f2-9a03-1b83e9876f24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'
Guest Configuration7040a231-fb65-4412-8c0a-b365f4866c24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'
Guest Configuration97b595c8-fd10-400e-8543-28e2b9138b13[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration29829ec2-489d-4925-81b7-bda06b1718e0[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuratione3a77a94-cf41-4ee8-b45c-98be28841c03[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuratione425e402-a050-45e5-b010-bd3f934589fc[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration87b590fe-4a1d-4697-ae74-d4fe72ab786c[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration9328f27e-611e-44a7-a244-39109d7d35ab[Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days
Guest Configuration8e170edb-e0f5-497a-bb36-48b3280cec6a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration6fe4ef56-7576-4dc4-8e9c-26bad4b087ce[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration30040dab-4e75-4456-8273-14b8f75d91d9[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'
Cognitive Services67121cc7-ff39-4ab8-b7e3-95b84dab487dCognitive Services accounts should enable data encryption with customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys for data stored in Cognitive Services. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 67121cc7-ff39-4ab8-b7e3-95b84dab487d
Guest Configuration437a1f8f-8552-47a8-8b12-a2fee3269dd5[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'
Guest Configuration985285b7-b97a-419c-8d48-c88cc934c8d8[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configurationfcbc55c9-f25a-4e55-a6cb-33acb3be778b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configurationf56a3ab2-89d1-44de-ac0d-2ada5962e22a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Audit Linux machines that are not using SSH key for authenticationRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Non-compliant if the machine allows passwords for authenticating through SSH Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-09 16:25:53
add: 630c64f9-8b6b-4c64-b511-6544ceff6fd6
Guest Configuration60aeaf73-a074-417a-905f-7ce9df0ff77b[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration3470477a-b35a-49db-aca5-1073d04524fe[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords
Guest Configuration86880e5c-df35-43c5-95ad-7e120635775e[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configurationd38b4c26-9d2e-47d7-aefe-18d859a8706a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliantThis policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant
Cognitive Services0725b4dd-7e76-479c-a735-68e7ee23d5caPublic network access should be disabled for Cognitive Services accountsThis policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 0725b4dd-7e76-479c-a735-68e7ee23d5ca
Guest Configuration7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabledThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled
Guest Configuration2d60d3b7-aa10-454c-88a8-de39d99d17c6[Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryptionThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption
Guest Configuratione3d95ab7-f47a-49d8-a347-784177b6c94c[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'
SQL1b7aa243-30e4-4c9e-bca8-d0d3022b634aVulnerability assessment should be enabled on SQL Managed InstanceAudit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-08 18:42:36
change: Previous DisplayName: Vulnerability assessment should be enabled on your SQL managed instances
Security Center47a6b606-51aa-4496-8bb7-64b11cf66adcAdaptive application controls for defining safe applications should be enabled on your machinesEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-08 18:42:36
change: Previous DisplayName: Adaptive Application Controls should be enabled on virtual machines
Security Centera7aca53f-2ed4-4466-a25e-0b45ade68efdAzure DDoS Protection Standard should be enabledDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-08 18:42:36
change: Previous DisplayName: DDoS Protection Standard should be enabled
SQLabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9Advanced data security should be enabled on SQL Managed InstanceAudit each SQL Managed Instance without advanced data security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-08 18:42:36
change: Previous DisplayName: Advanced data security should be enabled on your SQL managed instances
Kubernetes serviced011d9f7-ba32-4005-b727-b3d09371ca60[Deprecated]: Enforce unique ingress hostnames across namespaces in AKSThis policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS
Kubernetes service25dee3db-6ce0-4c02-ab5d-245887b24077[Deprecated]: Ensure services listen only on allowed ports in AKSThis policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS
Kubernetes service16c6ca72-89d2-4798-b87e-496f9de7fcb7[Deprecated]: Enforce labels on pods in AKSThis policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce labels on pods in AKS
Kubernetes servicea74d8f00-2fd9-4ce4-968e-0ee1eb821698[Deprecated]: Enforce internal load balancers in AKSThis policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce internal load balancers in AKS
Kubernetes service0f636243-1b1c-4d50-880f-310f6199f2cb[Deprecated]: Ensure containers listen only on allowed ports in AKSThis policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS
Cache22bee202-a82f-4305-9a2a-6d7f44d4dedbOnly secure connections to your Azure Cache for Redis should be enabledAudit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: Only secure connections to your Redis Cache should be enabled
Kubernetes servicea2d3ed81-8d11-4079-80a5-1faadc0024f4[Deprecated]: Ensure CPU and memory resource limits defined on containers in AKSThis policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS
Kubernetes service5f86cb6e-c4da-441b-807c-44bd0cc14e66[Deprecated]: Ensure only allowed container images in AKSThis policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure only allowed container images in AKS
Kubernetes service7ce7ac02-a5c6-45d6-8d1b-844feb1c1531[Deprecated]: Do not allow privileged containers in AKSThis policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Do not allow privileged containers in AKS
Security Centerb0f33259-77d7-4c9e-aac6-3aabcfae693cManagement ports of virtual machines should be protected with just-in-time network access controlPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: Just-In-Time network access control should be applied on virtual machines
Security Centerbd352bd5-2853-4985-bf0d-73806b4a5744IP Forwarding on your virtual machine should be disabledEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Preview]: IP Forwarding on your virtual machine should be disabled
Kubernetes service2fbff515-eecc-4b7e-9b63-fcc7138b7dc3[Deprecated]: Enforce HTTPS ingress in AKSThis policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce HTTPS ingress in AKS
Cosmos DB0b7ef78e-a035-4f23-b9bd-aff122a1b1cfAzure Cosmos DB throughput should be limitedThis policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. Default: deny
Allowed: (audit, deny, disabled)
2020-05-29 15:39:09
add: 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf
Monitoring842c54e8-c2f9-4d79-ae8d-38d8b8019373[Preview]: Log Analytics agent should be installed on your Linux Azure Arc machinesThis policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-05-29 15:39:09
add: 842c54e8-c2f9-4d79-ae8d-38d8b8019373
Security Centerf1525828-9a90-4fcf-be48-268cdd02361eDeploy Workflow Automation for Azure Security Center alertsEnable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: f1525828-9a90-4fcf-be48-268cdd02361e
Container Registrye8eef0a8-67cf-4eb4-9386-14b0e78733d4Container registries should use private linksAudit container registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Public access can then be disabled to ensure that only private links can be used to connect to the registry. For more information, visit: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Disabled)
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should use private links
Security Centercdfcce10-4578-4ecd-9703-530938e4abcbDeploy export to Event Hub for Azure Security Center alerts and recommendationsEnable export to Event Hub of Azure Security Center alerts and/or recommendations. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: cdfcce10-4578-4ecd-9703-530938e4abcb
Security Center123a3936-f020-408a-ba0c-47873faf1534Allowlist rules in your adaptive application control policy should be updatedMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-05-29 15:39:09
add: 123a3936-f020-408a-ba0c-47873faf1534
Cosmos DB4750c32b-89c0-46af-bfcb-2e4541a818d5Azure Cosmos DB key based metadata write access should be disabledThis policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. Fixed: append
2020-05-29 15:39:09
add: 4750c32b-89c0-46af-bfcb-2e4541a818d5
Monitoring91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4[Preview]: Deploy Dependency agent to Windows Azure Arc machinesThis policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Deploy Dependency agent to hybrid Windows VMs managed in Azure Arc
Cognitive Services037eea7a-bd0a-46c5-9a66-03aea78705d3Cognitive Services accounts should restrict network accessNetwork access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-05-29 15:39:09
add: 037eea7a-bd0a-46c5-9a66-03aea78705d3
Monitoring9d2b61b4-1d14-4a63-be30-d4498e7ad2cf[Preview]: Deploy Log Analytics agent to Linux Azure Arc machinesThis policy deploys the Log Analytics agent to Linux Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-29 15:39:09
add: 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf
Container Registryd0793b48-0edc-4296-a390-4c75d1bdfd71Container registries should not allow unrestricted network accessAudit container registries that do not have any network or firewall (IP) rules configured and so allow all network access by default. Restricting network access protects container registries from potential threats. Container registries with at least one IP / firewall rule or configured virtual network are deemed compliant. For more information on Container Registry network rules, visit: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit, Disabled)
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should not allow unrestricted network access
Monitoringdeacecc0-9f84-44d2-bb82-46f32d766d43[Preview]: Deploy Dependency agent to hybrid Linux Azure Arc machinesThis policy deploys the Dependency agent to Linux Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-29 15:39:09
add: deacecc0-9f84-44d2-bb82-46f32d766d43
Security Centerffb6f416-7bd2-4488-8828-56585fef2be9Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendationsEnable export to Log Analytics workspace of Azure Security Center alerts and/or recommendations. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: ffb6f416-7bd2-4488-8828-56585fef2be9
Monitoringd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e[Preview]: Log Analytics agent should be installed on your Windows Azure Arc machinesThis policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-05-29 15:39:09
add: d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e
API Managementef619a2c-cc4d-4d03-b2ba-8c94a834d85bAPI Management services should use a virtual networkVirtual network on API Management services of the specified SKU should be enabled. Default: Audit
Allowed: (Audit, Disabled)
2020-05-29 15:39:09
add: ef619a2c-cc4d-4d03-b2ba-8c94a834d85b
Event Grid9830b652-8523-49cc-b1b3-e17dce1127caAzure Event Grid domains should use private linksAudit Azure Event Grid domains that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
2020-05-29 15:39:09
add: 9830b652-8523-49cc-b1b3-e17dce1127ca
Event Grid4b90e17e-8448-49db-875e-bd83fb6f804fAzure Event Grid topics should use private linksAudit Azure Event Grid topics that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections via private links. For more information, visit https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
2020-05-29 15:39:09
add: 4b90e17e-8448-49db-875e-bd83fb6f804f
Container Registry5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580Container registries should be encrypted with a customer-managed key (CMK)Audit or deny container registries that do not have encryption enabled with customer-managed keys (CMK). Azure automatically encrypts registry contents at rest with service-managed keys. You can supplement default encryption with an additional encryption layer using a key that you create and manage in Azure Key Vault. For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should be encrypted with a Customer-Managed Key (CMK)
Security Center73d6ab6c-2475-4850-afd6-43795f3492efDeploy Workflow Automation for Azure Security Center recommendationsEnable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: 73d6ab6c-2475-4850-afd6-43795f3492ef
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203[Preview]: Deploy Log Analytics agent to Windows Azure Arc machinesThis policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Deploy Log Analytics agent to hybrid Windows VMs managed in Azure Arc
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203[Preview]: Deploy Log Analytics agent to Windows Azure Arc machinesThis policy deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-21 16:06:38
add: 69af7d4a-7b18-4044-93a9-2651498ef203
Cache7d092e0a-7acd-40d2-a975-dca21cae48c4Azure Cache for Redis should reside within a virtual networkAzure Cache for Redis has the ability to reside within a virtual network, which is a way for the resource to have a non-public endpoint controlled and managed by the user. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-05-21 16:06:38
add: 7d092e0a-7acd-40d2-a975-dca21cae48c4
Machine Learning5853517a-63de-11ea-bc55-0242ac130003[Preview]: Configure allowed registries for specified Azure Machine Learning computesThis policy helps provide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-05-13 05:56:52
add: 5853517a-63de-11ea-bc55-0242ac130003
Machine Learning1d413020-63de-11ea-bc55-0242ac130003[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computesThis policy helps provide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-05-13 05:56:52
add: 1d413020-63de-11ea-bc55-0242ac130003
Machine Learning3948394e-63de-11ea-bc55-0242ac130003[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computesThis policy helps configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-05-13 05:56:52
add: 3948394e-63de-11ea-bc55-0242ac130003
Security Center8e7da0a5-0a0e-4bbc-bfc0-7773c018b616Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2020-05-13 05:56:52
add: 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616
Machine Learning53c70b02-63dd-11ea-bc55-0242ac130003[Preview]: Configure allowed module authors for specified Azure Machine Learning computesThis policy helps provide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-05-13 05:56:52
add: 53c70b02-63dd-11ea-bc55-0242ac130003
Monitoring91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4[Preview]: Deploy Dependency agent to Windows Azure Arc machinesThis policy deploys the Dependency agent to Windows Azure Arc machines if the agent isn't installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-05-13 05:56:52
add: 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4
Security Center6df2fee6-a9ed-4fef-bced-e13be1b25f1cEnable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2020-05-13 05:56:52
add: 6df2fee6-a9ed-4fef-bced-e13be1b25f1c
Machine Learning77eeea86-7e81-4a7d-9067-de844d096752[Preview]: Configure allowed Python packages for specified Azure Machine Learning computes This policy helps provide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-05-13 05:56:52
add: 77eeea86-7e81-4a7d-9067-de844d096752
Storage34c877ad-507e-4c82-993e-3452a6e0ad3cStorage accounts should restrict network accessNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-05-09 14:57:51
change: Previous DisplayName: Audit unrestricted network access to storage accounts
Computecccc23c7-8427-4f53-ad12-b6a63eb452b3Allowed virtual machine size SKUsThis policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. Fixed: Deny
2020-05-09 14:57:51
change: Previous DisplayName: Allowed virtual machine SKUs
Container Registrye8eef0a8-67cf-4eb4-9386-14b0e78733d4Container registries should use private linksAudit container registries that do not have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. Public access can then be disabled to ensure that only private links can be used to connect to the registry. For more information, visit: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Disabled)
2020-04-28 14:50:57
add: e8eef0a8-67cf-4eb4-9386-14b0e78733d4
SQL18adea5e-f416-4d0f-8aa8-d24321e3e274Bring your own key data protection should be enabled for PostgreSQL serversUsing customer-managed keys for encrypting data at rest in your Azure Database for PostgreSQL database servers enables implementing a separation of duties in the management of keys and data. When you configure a customer-managed key, the key is used to protect and control access to the key that encrypts your data. You have full control and responsibility for the key lifecycle, including rotation and management. The use of customer-managed keys is sometimes required for compliance purposes. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-04-28 14:50:57
add: 18adea5e-f416-4d0f-8aa8-d24321e3e274
SQLd9844e8a-1437-4aeb-a32c-0c992f056095Public network access should be disabled for MySQL serversDisabling the public network access property improves security by ensuring your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
2020-04-28 14:50:57
add: d9844e8a-1437-4aeb-a32c-0c992f056095
SQLfdccbe47-f3e3-4213-ad5d-ea459b2fa077Public network access should be disabled for MariaDB serversDisabling the public network access property improves security by ensuring your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
2020-04-28 14:50:57
add: fdccbe47-f3e3-4213-ad5d-ea459b2fa077
SQLb52376f7-9612-48a1-81cd-1ffe4b61032cPublic network access should be disabled for PostgreSQL serversDisabling the public network access property improves security by ensuring your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
2020-04-28 14:50:57
add: b52376f7-9612-48a1-81cd-1ffe4b61032c
SQL83cef61d-dbd1-4b20-a4fc-5fbc7da10833Bring your own key data protection should be enabled for MySQL serversUsing customer-managed keys for encrypting data at rest in your Azure Database for MySQL database servers enables implementing a separation of duties in the management of keys and data. When you configure a customer-managed key, the key is used to protect and control access to the key that encrypts your data. You have full control and responsibility for the key lifecycle, including rotation and management. The use of customer-managed keys is sometimes required for compliance purposes. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-04-28 14:50:57
add: 83cef61d-dbd1-4b20-a4fc-5fbc7da10833
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eEnforce internal load balancers in Kubernetes clusterThis policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce internal load balancers in Kubernetes cluster
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Enforce labels on pods in Kubernetes clusterThis policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce labels on pods in Kubernetes cluster
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes clusterThis policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Ensure only allowed container images in Kubernetes clusterThis policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure only allowed container images in Kubernetes cluster
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dEnforce HTTPS ingress in Kubernetes clusterThis policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster
Kubernetesb2fd3e59-6390-4f2b-8247-ea676bd03e2d[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes clusterThis policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes cluster
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Ensure services listen only on allowed ports in Kubernetes clusterThis policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Do not allow privileged containers in Kubernetes clusterThis policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Do not allow privileged containers in Kubernetes cluster
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcEnsure containers listen only on allowed ports in Kubernetes clusterThis policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-04-23 15:06:19
change: Previous DisplayName: [Preview]: [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes cluster
Monitoring5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlistedReports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Log Analytics Agent Deployment in Virtual Machine Scale Sets - VM Image (OS) unlisted
Monitoring4da21710-ce6f-4e06-8cdb-5cc4c93ffbeeDeploy Dependency agent for Linux virtual machinesDeploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Linux VMs
Monitoring765266ab-e40e-4c61-bcb2-5a5275d0b7c0Deploy Dependency agent for Linux virtual machine scale setsDeploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Linux Virtual Machine Scale Sets
Monitoring3c1b3629-c8f8-4bf6-862c-037cb9094038Deploy Log Analytics agent for Windows virtual machine scale setsDeploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows Virtual Machine Scale Sets
Monitoring1c210e94-a481-4beb-95fa-1571b434fb04Deploy Dependency agent for Windows virtual machinesDeploy Dependency agent for Windows virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExistsLog Analytics Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Windows VMs
Monitoring5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069Deploy Log Analytics agent for Linux virtual machine scale setsDeploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux Virtual Machine Scale Sets
Monitoring0868462e-646c-4fe3-9ced-a733534b6a2cDeploy Log Analytics agent for Windows VMsDeploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: deployIfNotExistsLog Analytics Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows VMs
Monitoringe2dd799a-a932-4e9d-ac17-d473bc3c6c10Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlistedReports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Dependency Agent Deployment in Virtual Machine Scale Sets - VM Image (OS) unlisted
Monitoring053d3325-282c-4e5c-b944-24faffd30d77Deploy Log Analytics agent for Linux VMsDeploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux VMs
Monitoringf47b5582-33ec-4c5c-87c0-b010a6b2e917Audit Log Analytics workspace for VM - Report MismatchReports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. Fixed: audit
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Log Analytics Workspace for VM - Report Mismatch
Monitoring11ac78e3-31bc-4f0c-8434-37ab963cea07Audit Dependency agent deployment - VM Image (OS) unlistedReports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Audit Dependency Agent Deployment - VM Image (OS) unlisted
Monitoring3be22e3b-d919-47aa-805e-8985dbeb0ad9Deploy Dependency agent for Windows virtual machine scale setsDeploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2020-04-22 04:43:16
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Windows Virtual Machine Scale Sets
Networkfc5e4038-4584-4632-8c85-c0448d374b2c[Preview]: All Internet traffic should be routed via your deployed Azure FirewallAzure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-03-17 09:22:59
add: fc5e4038-4584-4632-8c85-c0448d374b2c
Cosmos DB0473574d-2d43-4217-aefe-941fcdf7e684Azure Cosmos DB allowed locationsThis policy enables you to restrict the locations your organization can specify when deploying Azure Cosmos DB resources. Use to enforce your geo-compliance requirements. Default: deny
Allowed: (deny, audit, disabled)
2020-03-17 09:22:59
add: 0473574d-2d43-4217-aefe-941fcdf7e684
Guest Configuration5fc23db3-dd4d-4c56-bcc7-43626243e601Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabledThis policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-03-17 09:22:59
add: 5fc23db3-dd4d-4c56-bcc7-43626243e601
Guest Configuration6a7a2bcf-f9be-4e35-9734-4f9657a70f1d[Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabledThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which Windows Defender Exploit Guard is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-03-17 09:22:59
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Guest Configurationbed48b13-6647-468e-aa2f-1af1d3f4dd40Audit Windows machines on which Windows Defender Exploit Guard is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the PowerShell command Get-MPPreference returns configuration details that does not match expected values. Windows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-03-17 09:22:59
add: bed48b13-6647-468e-aa2f-1af1d3f4dd40
Guest Configuration0d9b45ff-9ddd-43fc-bf59-fbd1c8423053[Deprecated]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which Windows Defender Exploit Guard is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-03-17 09:22:59
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which Windows Defender Exploit Guard is not enabled
Tags1e30110a-5ceb-460c-a204-c1c3969c6d62Require a tag and its value on resourcesEnforces a required tag and its value. Does not apply to resource groups. Fixed: deny
2020-03-10 16:29:49
change: Previous DisplayName: Require tag and its value
Tags9ea02ca2-71db-412d-8b00-7c7ca9fcd32dAppend a tag and its value from the resource groupAppends the specified tag with its value from the resource group when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: append
2020-03-10 16:29:49
change: Previous DisplayName: Append tag and its value from the resource group
Tags49c88fc8-6fd1-46fd-a676-f12d1d3a4c71Append a tag and its value to resource groupsAppends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: append
2020-03-10 16:29:49
change: Previous DisplayName: Append tag and its default value to resource groups
Tags2a0e14a6-b0a6-4fab-991a-187a4f81c498Append a tag and its value to resourcesAppends the specified tag and value when any resource which is missing this tag is created or updated. Does not modify the tags of resources created before this policy was applied until those resources are changed. Does not apply to resource groups. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). Fixed: append
2020-03-10 16:29:49
change: Previous DisplayName: Append tag and its default value
Tags8ce3da23-7156-49e4-b145-24f95f9dcb46Require a tag and its value on resource groupsEnforces a required tag and its value on resource groups. Fixed: deny
2020-03-10 16:29:49
change: Previous DisplayName: Require tag and its value on resource groups
Tags96670d01-0a4d-4649-9c89-2d3abc0a5025Require a tag on resource groupsEnforces existence of a tag on resource groups. Fixed: deny
2020-03-10 16:29:49
change: Previous DisplayName: Require specified tag on resource groups
Tags871b6d14-10aa-478d-b590-94f262ecfa99Require a tag on resourcesEnforces existence of a tag. Does not apply to resource groups. Fixed: deny
2020-03-10 16:29:49
change: Previous DisplayName: Require specified tag
Monitoring5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069Deploy Log Analytics agent for Linux virtual machine scale setsDeploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)
Monitoring3be22e3b-d919-47aa-805e-8985dbeb0ad9Deploy Dependency agent for Windows virtual machine scale setsDeploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Windows VM Scale Sets (VMSS)
Monitoring765266ab-e40e-4c61-bcb2-5a5275d0b7c0Deploy Dependency agent for Linux virtual machine scale setsDeploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsVirtual Machine Contributor
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Dependency Agent for Linux VM Scale Sets (VMSS)
Monitoringe2dd799a-a932-4e9d-ac17-d473bc3c6c10Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlistedReports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted
Monitoring5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlistedReports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Fixed: auditIfNotExists
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted
Monitoring3c1b3629-c8f8-4bf6-862c-037cb9094038Deploy Log Analytics agent for Windows virtual machine scale setsDeploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2020-02-29 21:43:10
change: Previous DisplayName: [Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)
SQL0564d078-92f5-4f97-8398-b9f58a51f70bPrivate endpoint should be enabled for PostgreSQL serversPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-02-27 09:26:21
add: 0564d078-92f5-4f97-8398-b9f58a51f70b
SQL3375856c-3824-4e0e-ae6a-79e011dd4c47MySQL server should use a virtual network service endpointVirtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MySQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MySQL has virtual network service endpoint being used. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-02-27 09:26:21
add: 3375856c-3824-4e0e-ae6a-79e011dd4c47
SQL3c14b034-bcb6-4905-94e7-5b8e98a47b65PostgreSQL server should use a virtual network service endpointVirtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-02-27 09:26:21
add: 3c14b034-bcb6-4905-94e7-5b8e98a47b65
SQL0a1302fb-a631-4106-9753-f3d494733990Private endpoint should be enabled for MariaDB serversPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-02-27 09:26:21
add: 0a1302fb-a631-4106-9753-f3d494733990
SQLdfbd9a64-6114-48de-a47d-90574dc2e489MariaDB server should use a virtual network service endpointVirtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-02-27 09:26:21
add: dfbd9a64-6114-48de-a47d-90574dc2e489
SQL7595c971-233d-4bcf-bd18-596129188c49Private endpoint should be enabled for MySQL serversPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-02-27 09:26:21
add: 7595c971-233d-4bcf-bd18-596129188c49
Security Center1a833ff1-d297-4a0f-9944-888428f8e0ff[Deprecated]: Access to App Services should be restrictedAzure security center has discovered that the networking configuration of some of your app services are overly permissive and allow inbound traffic from ranges that are too broad Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-02-25 11:29:35
change: Previous DisplayName: [Preview]: Access to App Services should be restricted
Tagsb27a0cbd-a167-4dfa-ae64-4337be671140Inherit a tag from the subscriptionAdds or replaces the specified tag and value from the containing subscription when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Fixed: modifyContributor
2020-02-20 08:25:18
add: b27a0cbd-a167-4dfa-ae64-4337be671140
Tags40df99da-1232-49b1-a39a-6da8d878f469Inherit a tag from the subscription if missingAdds the specified tag with its value from the containing subscription when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. Fixed: modifyContributor
2020-02-20 08:25:18
add: 40df99da-1232-49b1-a39a-6da8d878f469
Security Center201ea587-7c90-41c3-910f-c280ae01cfd6[Deprecated]: Web ports should be restricted on Network Security Groups associated to your VMAzure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-02-20 08:25:18
change: Previous DisplayName: Web ports should be restricted on Network Security Groups associated to your VM
Container Registryd0793b48-0edc-4296-a390-4c75d1bdfd71Container registries should not allow unrestricted network accessAudit container registries that do not have any network or firewall (IP) rules configured and so allow all network access by default. Restricting network access protects container registries from potential threats. Container registries with at least one IP / firewall rule or configured virtual network are deemed compliant. For more information on Container Registry network rules, visit: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit, Disabled)
2020-02-12 02:52:44
add: d0793b48-0edc-4296-a390-4c75d1bdfd71
App Configuration967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1App Configuration should use a customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-02-12 02:52:44
add: 967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1
App Platform0f2d8593-4667-4932-acca-6a9f187af109[Preview]: Audit Azure Spring Cloud instances where distributed tracing is not enabledDistributed tracing tools in Azure Spring Cloud allow debugging and monitoring the complex interconnections between microservices in an application. Distributed tracing tools should be enabled and in a healthy state. Default: Audit
Allowed: (Audit, Disabled)
2020-02-12 02:52:44
add: 0f2d8593-4667-4932-acca-6a9f187af109
Backupc717fb0c-d118-4c43-ab3d-ece30ac81fb3[Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. Fixed: deployIfNotExistsMonitoring Contributor
Log Analytics Contributor
2020-02-12 02:52:44
add: c717fb0c-d118-4c43-ab3d-ece30ac81fb3
Container Registry5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580Container registries should be encrypted with a customer-managed key (CMK)Audit or deny container registries that do not have encryption enabled with customer-managed keys (CMK). Azure automatically encrypts registry contents at rest with service-managed keys. You can supplement default encryption with an additional encryption layer using a key that you create and manage in Azure Key Vault. For more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-02-12 02:52:44
add: 5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580
App Configurationca610c1d-041c-4332-9d88-7ed3094967c7App Configuration should use a private linkPrivate endpoint connections allow clients on a virtual network to securely access Azure App Configuration over a private link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-02-12 02:52:44
add: ca610c1d-041c-4332-9d88-7ed3094967c7
Guest Configuration97646672-5efa-4622-9b54-740270ad60bf[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-02-08 03:50:24
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)'
Guest Configurationf1f4825d-58fb-4257-8016-8c00e3c9ed9d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-02-08 03:50:24
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)'
App Service9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bcEnsure that 'Java version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-02-08 03:50:24
change: Previous DisplayName: Ensure that 'Java version' is the latest, if used as a part of the Funtion app
Monitoringc5447c04-a4d7-4ba8-a263-c9ee321a6858An activity log alert should exist for specific Policy operationsThis policy audits specific Policy operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-01-29 21:53:30
add: c5447c04-a4d7-4ba8-a263-c9ee321a6858
Monitoring3b980d31-7904-4bb7-8575-5665739a8052An activity log alert should exist for specific Security operationsThis policy audits specific Security operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-01-29 21:53:30
add: 3b980d31-7904-4bb7-8575-5665739a8052
Network2c89a2e5-7285-40fe-afe0-ae8654b92fabSSH access from the Internet should be blockedThis policy audits any network security rule that allows SSH access from Internet Default: Audit
Allowed: (Audit, Disabled)
2020-01-29 21:53:30
add: 2c89a2e5-7285-40fe-afe0-ae8654b92fab
Security Centerac076320-ddcf-4066-b451-6154267e8ad2Enable Azure Security Center on your subscriptionIdentifies existing subscriptions that are not monitored by Azure Security Center (ASC). Subscriptions not monitored by ASC will be registered to the free pricing tier. Subscriptions already monitored by ASC (free or standard), will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. Fixed: deployIfNotExistsSecurity Admin
2020-01-29 21:53:30
add: ac076320-ddcf-4066-b451-6154267e8ad2
Networke372f825-a257-4fb8-9175-797a8a8627d6RDP access from the Internet should be blockedThis policy audits any network security rule that allows RDP access from Internet Default: Audit
Allowed: (Audit, Disabled)
2020-01-29 21:53:30
add: e372f825-a257-4fb8-9175-797a8a8627d6
Monitoringb954148f-4c11-4c38-8221-be76711e194aAn activity log alert should exist for specific Administrative operationsThis policy audits specific Administrative operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-01-29 21:53:30
add: b954148f-4c11-4c38-8221-be76711e194a
Security Centeraf8051bf-258b-44e2-a2bf-165330459f9d[Deprecated]: Monitor unaudited SQL servers in Azure Security CenterSQL servers which don't have SQL auditing turned on will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: 'Auditing should be enabled on advanced data security settings on SQL Server' Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-01-29 05:56:46
change: Previous DisplayName: [Deprecated] Monitor unaudited SQL servers in Azure Security Center
Security Centera8bef009-a5c9-4d0f-90d7-6018734e8a16[Deprecated]: Monitor unencrypted SQL databases in Azure Security CenterUnencrypted SQL databases will be monitored by Azure Security Center as recommendations. This policy is deprecated and replaced by the following policy: Transparent Data Encryption on SQL databases should be enabled' Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-01-29 05:56:46
change: Previous DisplayName: [Deprecated] Monitor unencrypted SQL databases in Azure Security Center
SQLa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9Auditing on SQL server should be enabledAuditing on your SQL Server should be enabled to track database activities across all databases on the server, except Synapse, and save them in an audit log. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-01-10 16:39:23
change: Previous DisplayName: Auditing should be enabled on advanced data security settings on SQL Server
Security Centerf6de0be7-9a8a-4b8a-b349-43cf02d22f7cInternet-facing virtual machines should be protected with network security groupsProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-01-10 16:39:23
change: Previous DisplayName: Virtual machines should be associated with a Network Security Group
Security Center08e6af2d-db70-460a-bfe9-d5bd474ba9d6Adaptive Network Hardening recommendations should be applied on internet facing virtual machinesAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-01-10 16:39:23
change: Previous DisplayName: Network Security Group Rules for Internet facing virtual machines should be hardened
Security Center201ea587-7c90-41c3-910f-c280ae01cfd6[Deprecated]: Web ports should be restricted on Network Security Groups associated to your VMAzure security center has discovered that some of your virtual machines are running web applications, and the NSGs associated to these virtual machines are overly permissive with regards to the web application ports Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-01-10 16:39:23
change: Previous DisplayName: The NSGs rules for web applications on IaaS should be hardened
Guest Configurationc04255ee-1b9f-42c1-abaa-bf1553f79930[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configurationf56a3ab2-89d1-44de-ac0d-2ada5962e22a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration909c958d-1b99-4c74-b88f-46a5c5bc34f9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuration815dcc9f-6662-43f2-9a03-1b83e9876f24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'User Rights Assignment'
Guest Configuration8e170edb-e0f5-497a-bb36-48b3280cec6a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuratione3d95ab7-f47a-49d8-a347-784177b6c94c[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration437a1f8f-8552-47a8-8b12-a2fee3269dd5[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - System settings'
Guest Configurationce2370f6-0ac5-4d85-8ab4-10721cc640b0[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configurationf8b0158d-4766-490f-bea0-259e52dba473[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration7040a231-fb65-4412-8c0a-b365f4866c24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Windows Components'
Guest Configuration42a07bbf-ffcf-459a-b4b1-30ecd118a505[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration97b595c8-fd10-400e-8543-28e2b9138b13[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configurationc1e289c0-ffad-475d-a924-adc058765d65[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuratione5b81f87-9185-4224-bf00-9f505e9f89f3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration985285b7-b97a-419c-8d48-c88cc934c8d8[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration0a9991e6-21be-49f9-8916-a06d934bcf29[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configurationbbcdd8fa-b600-4ee3-85b8-d184e3339652[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration12ae2d24-3805-4b37-9fa9-465968bfbcfa[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - System objects'
Guest Configuration3750712b-43d0-478e-9966-d2c26f6141b9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration36e17963-7202-494a-80c3-f508211c826b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configurationddc0a4d5-5e08-43d5-9fd9-b586d8d7116b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuratione425e402-a050-45e5-b010-bd3f934589fc[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configurationf1f4825d-58fb-4257-8016-8c00e3c9ed9d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Adminstrative Templates - MSS (Legacy)'
Guest Configuration40917425-69db-4018-8dae-2a0556cef899[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration1f8c20ce-3414-4496-8b26-0e902a1541da[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configurationec7ac234-2af5-4729-94d2-c557c071799d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration6481cc21-ed6e-4480-99dd-ea7c5222e897[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configuration86880e5c-df35-43c5-95ad-7e120635775e[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration498b810c-59cd-4222-9338-352ba146ccf3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2019-12-17 15:43:46
change: Previous DisplayName: [Preview]: Deploy requirements to audit Windows VMs configurations in 'Security Options - Audit'
Monitoringfbb99e8e-e444-4da0-9ff1-75c92f5a85b2Storage account containing the container with activity logs must be encrypted with BYOKThis policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-12-11 09:18:30
add: fbb99e8e-e444-4da0-9ff1-75c92f5a85b2
Backup013e242c-8828-4970-87b3-ab247555486dAzure Backup should be enabled for Virtual MachinesEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-12-11 09:18:30
add: 013e242c-8828-4970-87b3-ab247555486d
App Service95bccee9-a7f8-4bec-9ee9-62c3473701fcAuthentication should be enabled on your web appAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the web app, or authenticate those that have tokens before they reach the web app Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-12-11 09:18:30
add: 95bccee9-a7f8-4bec-9ee9-62c3473701fc
Guest Configuration6141c932-9384-44c6-a395-59e4c057d7c9Configure time zone on Windows machines.This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExistsContributor
2019-12-11 09:18:30
change: Previous DisplayName: Configure time zone on Windows machines.
App Servicec75248c1-ea1d-4a9c-8fc9-29a6aabd5da8Authentication should be enabled on your Function appAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the Function app, or authenticate those that have tokens before they reach the Function app Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-12-11 09:18:30
add: c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8
App Servicec4ebc54a-46e1-481a-bee2-d4411e95d828Authentication should be enabled on your API appAzure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-12-11 09:18:30
add: c4ebc54a-46e1-481a-bee2-d4411e95d828
Monitoring2f2ee1de-44aa-4762-b6bd-0893fc3f306d[Preview]: Network traffic data collection agent should be installed on Windows virtual machinesSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-27 16:06:41
add: 2f2ee1de-44aa-4762-b6bd-0893fc3f306d
Monitoring04c4380f-3fae-46e8-96c9-30193528f602[Preview]: Network traffic data collection agent should be installed on Linux virtual machinesSecurity Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-27 16:06:41
add: 04c4380f-3fae-46e8-96c9-30193528f602
Key Vaulta22f4a40-01d3-4c7d-8071-da157eeff341[Preview]: Certificates should be issued by the specified non-integrated certificate authorityManage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: audit
Allowed: (audit, deny, disabled)
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should be issued by an approved custom Certificate Authority provider
Key Vault12ef42cb-9903-4e39-9c26-422d29570417[Preview]: Certificates should have the specified lifetime action triggersManage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: audit
Allowed: (audit, deny, disabled)
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should have the specified lifetime action trigger
Key Vault1151cede-290b-4ba0-8b38-0ad145ac888f[Preview]: Certificates should use allowed key typesManage your organizational compliance requirements by restricting the key types allowed for certificates. Default: audit
Allowed: (audit, deny, disabled)
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should have the specified key types
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on VMs without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2019-11-19 11:26:09
change: Previous DisplayName: Deploy prerequisites to backup VMs of a location to an existing central Vault in the same location
Key Vault0a075868-4c26-42ef-914c-5bc007359560[Preview]: Certificates should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: audit
Allowed: (audit, deny, disabled)
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should not have a lengthy validity period
Key Vaultcee51871-e572-4576-855c-047c820360f0[Preview]: Certificates using RSA cryptography should have the specified minimum key sizeManage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: audit
Allowed: (audit, deny, disabled)
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificate key sizes should be sufficiently large
Key Vaultf772fb64-8e40-40ad-87bc-7706e1949427[Preview]: Certificates should not expire within the specified number of daysManage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: audit
Allowed: (audit, deny, disabled)
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should not expire in the specified number of days
Key Vault8e826246-c976-48f6-b03e-619bb92b3d82[Preview]: Certificates should be issued by the specified integrated certificate authorityManage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: audit
Allowed: (audit, deny, disabled)
2019-11-19 11:26:09
change: Previous DisplayName: [Preview]: Certificates should be issued by an approved Azure Key Vault supported Certificate Authority provider
App Service843664e0-7563-41ee-a9cb-7522c382d2c4[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web appThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 843664e0-7563-41ee-a9cb-7522c382d2c4
App Service9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bcEnsure that 'Java version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc
App Service88999f4c-376a-45c8-bcb3-4058f713cf39Ensure that 'Java version' is the latest, if used as a part of the API appPeriodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 88999f4c-376a-45c8-bcb3-4058f713cf39
Kubernetes service7ce7ac02-a5c6-45d6-8d1b-844feb1c1531[Deprecated]: Do not allow privileged containers in AKSThis policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Do not allow privileged containers in AKS
App Service5bb220d9-2698-4ee4-8404-b9c30c9df609Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
2019-11-12 19:11:12
add: 5bb220d9-2698-4ee4-8404-b9c30c9df609
Kubernetes service16c6ca72-89d2-4798-b87e-496f9de7fcb7[Deprecated]: Enforce labels on pods in AKSThis policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce labels on pods in AKS
App Service58d94fc1-a072-47c2-bd37-9cdb38e77453[Deprecated]: Ensure Function app is using the latest version of TLS encryptionPlease use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: Ensure Function app is using the latest version of TLS encryption
App Service86d97760-d216-4d81-a3ad-163087b2b6c3[Deprecated]: Ensure that Register with Azure Active Directory is enabled on API appThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 86d97760-d216-4d81-a3ad-163087b2b6c3
App Service7238174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 7238174a-fd10-4ef0-817e-fc820a951d73
App Service0c192fe8-9cbb-4516-85b3-0ade8bd03886Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
2019-11-12 19:11:12
add: 0c192fe8-9cbb-4516-85b3-0ade8bd03886
App Service74c3584d-afae-46f7-a20a-6f8adba71a16Ensure that 'Python version' is the latest, if used as a part of the API appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 74c3584d-afae-46f7-a20a-6f8adba71a16
Kubernetes service25dee3db-6ce0-4c02-ab5d-245887b24077[Deprecated]: Ensure services listen only on allowed ports in AKSThis policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure services listen only on allowed ports in AKS
Kubernetes serviced011d9f7-ba32-4005-b727-b3d09371ca60[Deprecated]: Enforce unique ingress hostnames across namespaces in AKSThis policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce unique ingress hostnames across namespaces in AKS
App Serviceab965db2-d2bf-4b64-8b39-c38ec8179461[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function appPHP cannot be used with Function apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: ab965db2-d2bf-4b64-8b39-c38ec8179461
Kubernetes service5f86cb6e-c4da-441b-807c-44bd0cc14e66[Deprecated]: Ensure only allowed container images in AKSThis policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure only allowed container images in AKS
App Service991310cd-e9f3-47bc-b7b6-f57b557d07dbEnsure that 'HTTP Version' is the latest, if used to run the API appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 991310cd-e9f3-47bc-b7b6-f57b557d07db
App Servicef0473e7a-a1ba-4e86-afb2-e829e11b01d8[Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function AppThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: f0473e7a-a1ba-4e86-afb2-e829e11b01d8
App Servicee2c1c086-2d84-4019-bff3-c44ccd95113cEnsure that 'HTTP Version' is the latest, if used to run the Function appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: e2c1c086-2d84-4019-bff3-c44ccd95113c
App Service7008174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 7008174a-fd10-4ef0-817e-fc820a951d73
App Service8c122334-9d20-4eb8-89ea-ac9a705b74aeEnsure that 'HTTP Version' is the latest, if used to run the Web appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 8c122334-9d20-4eb8-89ea-ac9a705b74ae
App Serviceaa81768c-cb87-4ce2-bfaa-00baa10d760c[Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB AppThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: aa81768c-cb87-4ce2-bfaa-00baa10d760c
App Service10c1859c-e1a7-4df3-ab97-a487fa8059f6[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function AppThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 10c1859c-e1a7-4df3-ab97-a487fa8059f6
App Servicec2e7ca55-f62c-49b2-89a4-d41eb661d2f0[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API appThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: c2e7ca55-f62c-49b2-89a4-d41eb661d2f0
App Serviceeaebaea7-8013-4ceb-9d14-7eb32271373cEnsure Function app has 'Client Certificates (Incoming client certificates)' set to 'On'Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
2019-11-12 19:11:12
add: eaebaea7-8013-4ceb-9d14-7eb32271373c
Kubernetes service2fbff515-eecc-4b7e-9b63-fcc7138b7dc3[Deprecated]: Enforce HTTPS ingress in AKSThis policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce HTTPS ingress in AKS
App Service1bc1795e-d44a-4d48-9b3b-6fff0fd5f9baEnsure that 'PHP version' is the latest, if used as a part of the API appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba
App Service496223c3-ad65-4ecd-878a-bae78737e9edEnsure that 'Java version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 496223c3-ad65-4ecd-878a-bae78737e9ed
App Servicee567365d-4228-430f-ac39-7d5d46e617acEnsure API app is using the latest version of TLS encryptionThe TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.n/an/a
2019-11-12 19:11:12
remove: e567365d-4228-430f-ac39-7d5d46e617ac (i)
Kubernetes servicea2d3ed81-8d11-4079-80a5-1faadc0024f4[Deprecated]: Ensure CPU and memory resource limits defined on containers in AKSThis policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure CPU and memory resource limits defined on containers in AKS
Kubernetes servicea74d8f00-2fd9-4ce4-968e-0ee1eb821698[Deprecated]: Enforce internal load balancers in AKSThis policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Enforce internal load balancers in AKS
Kubernetes service0f636243-1b1c-4d50-880f-310f6199f2cb[Deprecated]: Ensure containers listen only on allowed ports in AKSThis policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: [Limited Preview]: Ensure containers listen only on allowed ports in AKS
App Service6ad61431-88ce-4357-a0e1-6da43f292bd7[Deprecated]: Ensure WEB app is using the latest version of TLS encryption Please use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b instead. The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
change: Previous DisplayName: Ensure WEB app is using the latest version of TLS encryption
App Service7261b898-8a84-4db8-9e04-18527132abb3Ensure that 'PHP version' is the latest, if used as a part of the WEB appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-11-12 19:11:12
add: 7261b898-8a84-4db8-9e04-18527132abb3
Key Vaultbd78111f-4953-4367-9fd5-7e08808b54bf[Preview]: Certificates using elliptic curve cryptography should have allowed curve namesManage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: audit
Allowed: (audit, deny, disabled)
2019-11-02 10:12:34
add: bd78111f-4953-4367-9fd5-7e08808b54bf
Monitoringb889a06c-ec72-4b03-910a-cb169ee18721Deploy Diagnostic Settings for Logic Apps to Log Analytics workspaceDeploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: b889a06c-ec72-4b03-910a-cb169ee18721
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dEnforce HTTPS ingress in Kubernetes clusterThis policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2019-10-29 23:04:36
add: 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d
App Service4d24b6d4-5e53-4a4f-a7f4-618fa573ee4bFTPS should be required in your Web AppEnable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-29 23:04:36
add: 4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b
App Service0da106f2-4ca3-48e8-bc85-c638fe6aea8fManaged identity should be used in your Function AppUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-29 23:04:36
add: 0da106f2-4ca3-48e8-bc85-c638fe6aea8f
Custom Providerc15c281f-ea5c-44cd-90b8-fc3c14d13f0cDeploy associations for a custom providerDeploys an association resource that associates selected resource types to the specified custom provider. This policy deployment does not support nested resource types. Fixed: deployIfNotExistsContributor
2019-10-29 23:04:36
add: c15c281f-ea5c-44cd-90b8-fc3c14d13f0c
Lighthouse76bed37b-484f-430f-a009-fd7592dff818Audit delegation of scopes to a managing tenantAudit delegation of scopes to a managing tenant via Azure Lighthouse. Default: Audit
Allowed: (Audit, Disabled)
2019-10-29 23:04:36
add: 76bed37b-484f-430f-a009-fd7592dff818
App Servicef0e6e85b-9b9f-4a4b-b67b-f730d42f1b0bLatest TLS version should be used in your Web AppUpgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-29 23:04:36
add: f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b
Kubernetesb2fd3e59-6390-4f2b-8247-ea676bd03e2d[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes clusterThis policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2019-10-29 23:04:36
add: b2fd3e59-6390-4f2b-8247-ea676bd03e2d
Monitoring237e0f7e-b0e8-4ec4-ad46-8c12cb66d673Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspaceDeploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes clusterThis policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2019-10-29 23:04:36
add: e345eecc-fa47-480f-9e88-67dcc122b164
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Ensure services listen only on allowed ports in Kubernetes clusterThis policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2019-10-29 23:04:36
add: 233a2a17-77ca-4fb1-9b6b-69223d272a44
Monitoring6b51af03-9277-49a9-a3f8-1c69c9ff7403Deploy Diagnostic Settings for Service Bus to Event HubDeploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2019-10-29 23:04:36
add: 6b51af03-9277-49a9-a3f8-1c69c9ff7403
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Do not allow privileged containers in Kubernetes clusterThis policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2019-10-29 23:04:36
add: 95edb821-ddaf-4404-9732-666045e056b4
Monitoringa1dae6c7-13f3-48ea-a149-ff8442661f60Deploy Diagnostic Settings for Logic Apps to Event HubDeploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2019-10-29 23:04:36
add: a1dae6c7-13f3-48ea-a149-ff8442661f60
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2019-10-29 23:04:36
add: fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50
App Servicef9d614c5-c173-4d56-95a7-b4437057d193Latest TLS version should be used in your Function AppUpgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-29 23:04:36
add: f9d614c5-c173-4d56-95a7-b4437057d193
App Service8cb6aa8b-9e41-4f4e-aa25-089a7ac2581eLatest TLS version should be used in your API AppUpgrade to the latest TLS version Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-29 23:04:36
add: 8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e
SQL48af4db5-9b8b-401c-8e74-076be876a430Geo-redundant backup should be enabled for Azure Database for PostgreSQLAzure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default: Audit
Allowed: (Audit, Disabled)
2019-10-29 23:04:36
add: 48af4db5-9b8b-401c-8e74-076be876a430
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcEnsure containers listen only on allowed ports in Kubernetes clusterThis policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2019-10-29 23:04:36
add: 440b515e-a580-421e-abeb-b159a61ddcbc
SQL82339799-d096-41ae-8538-b108becf0970Geo-redundant backup should be enabled for Azure Database for MySQLAzure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default: Audit
Allowed: (Audit, Disabled)
2019-10-29 23:04:36
add: 82339799-d096-41ae-8538-b108becf0970
Monitoringedf3780c-3d70-40fe-b17e-ab72013dafcaDeploy Diagnostic Settings for Stream Analytics to Event HubDeploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2019-10-29 23:04:36
add: edf3780c-3d70-40fe-b17e-ab72013dafca
SQLd38fc420-0735-4ef3-ac11-c806f651a570Long-term geo-redundant backup should be enabled for Azure SQL DatabasesThis policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-29 23:04:36
add: d38fc420-0735-4ef3-ac11-c806f651a570
Monitoring1f6e93e8-6b31-41b1-83f6-36e449a42579Deploy Diagnostic Settings for Event Hub to Log Analytics workspaceDeploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: 1f6e93e8-6b31-41b1-83f6-36e449a42579
Monitoring04d53d87-841c-4f23-8a5b-21564380b55eDeploy Diagnostic Settings for Service Bus to Log Analytics workspaceDeploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: 04d53d87-841c-4f23-8a5b-21564380b55e
Storagebf045164-79ba-4215-8f95-f8048dc1780bGeo-redundant storage should be enabled for Storage AccountsThis policy audits any Storage Account with geo-redundant storage not enabled. Default: Audit
Allowed: (Audit, Disabled)
2019-10-29 23:04:36
add: bf045164-79ba-4215-8f95-f8048dc1780b
App Service9a1b8c48-453a-4044-86c3-d8bfd823e4f5FTPS only should be required in your API AppEnable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-29 23:04:36
add: 9a1b8c48-453a-4044-86c3-d8bfd823e4f5
Monitoringdb51110f-0865-4a6e-b274-e2e07a5b2cd7Deploy Diagnostic Settings for Batch Account to Event HubDeploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2019-10-29 23:04:36
add: db51110f-0865-4a6e-b274-e2e07a5b2cd7
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Enforce labels on pods in Kubernetes clusterThis policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2019-10-29 23:04:36
add: 46592696-4c7b-4bf3-9e45-6c2763bdc0a6
Monitoringef7b61ef-b8e4-4c91-8e78-6946c6b0023fDeploy Diagnostic Settings for Event Hub to Event HubDeploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2019-10-29 23:04:36
add: ef7b61ef-b8e4-4c91-8e78-6946c6b0023f
Monitoringbef3f64c-5290-43b7-85b0-9b254eef4c47Deploy Diagnostic Settings for Key Vault to Log Analytics workspaceDeploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: bef3f64c-5290-43b7-85b0-9b254eef4c47
Monitoring3d5da587-71bd-41f5-ac95-dd3330c2d58dDeploy Diagnostic Settings for Search Services to Event HubDeploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2019-10-29 23:04:36
add: 3d5da587-71bd-41f5-ac95-dd3330c2d58d
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eEnforce internal load balancers in Kubernetes clusterThis policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2019-10-29 23:04:36
add: 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2019-10-29 23:04:36
add: 0ecd903d-91e7-4726-83d3-a229d7f2e293
App Servicec4d441f8-f9d9-4a9e-9cef-e82117cb3eefManaged identity should be used in your API AppUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-29 23:04:36
add: c4d441f8-f9d9-4a9e-9cef-e82117cb3eef
e567365d-4228-430f-ac39-7d5d46e617ac Fixed:
2019-10-29 23:04:36
add: e567365d-4228-430f-ac39-7d5d46e617ac
Monitoring4daddf25-4823-43d4-88eb-2419eb6dcc08Deploy Diagnostic Settings for Data Lake Analytics to Event HubDeploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2019-10-29 23:04:36
add: 4daddf25-4823-43d4-88eb-2419eb6dcc08
Monitoringd56a5a7c-72d7-42bc-8ceb-3baf4c0eae03Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspaceDeploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03
Managed Application17763ad9-70c0-4794-9397-53d765932634Deploy associations for a managed applicationDeploys an association resource that associates selected resource types to the specified managed application. This policy deployment does not support nested resource types. Fixed: deployIfNotExistsContributor
2019-10-29 23:04:36
add: 17763ad9-70c0-4794-9397-53d765932634
App Service399b2637-a50f-4f95-96f8-3a145476eb15FTPS only should be required in your Function AppEnable FTPS enforcement for enhanced security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-29 23:04:36
add: 399b2637-a50f-4f95-96f8-3a145476eb15
App Service2b9ad585-36bc-4615-b300-fd4435808332Managed identity should be used in your Web AppUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-29 23:04:36
add: 2b9ad585-36bc-4615-b300-fd4435808332
Monitoring08ba64b8-738f-4918-9686-730d2ed79c7dDeploy Diagnostic Settings for Search Services to Log Analytics workspaceDeploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: 08ba64b8-738f-4918-9686-730d2ed79c7d
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Ensure only allowed container images in Kubernetes clusterThis policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2019-10-29 23:04:36
add: febd0533-8e55-448f-b837-bd0e06f16469
Monitoring25763a0a-5783-4f14-969e-79d4933eb74bDeploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspaceDeploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: 25763a0a-5783-4f14-969e-79d4933eb74b
SQL0ec47710-77ff-4a3d-9181-6aa50af424d0Geo-redundant backup should be enabled for Azure Database for MariaDBAzure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Default: Audit
Allowed: (Audit, Disabled)
2019-10-29 23:04:36
add: 0ec47710-77ff-4a3d-9181-6aa50af424d0
Monitoringc84e5349-db6d-4769-805e-e14037dab9b5Deploy Diagnostic Settings for Batch Account to Log Analytics workspaceDeploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2019-10-29 23:04:36
add: c84e5349-db6d-4769-805e-e14037dab9b5
Monitoringe8d096bc-85de-4c5f-8cfb-857bd1b9d62dDeploy Diagnostic Settings for Data Lake Storage Gen1 to Event HubDeploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2019-10-29 23:04:36
add: e8d096bc-85de-4c5f-8cfb-857bd1b9d62d
SQL464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf[Deprecated]: Require SQL Server version 12.0This policy ensures all SQL servers use version 12.0. This policy is deprecated because it is no longer possible to create an Azure SQL server with any version other than 12.0. Fixed: Deny
2019-10-29 21:52:54
change: Previous DisplayName: Require SQL Server version 12.0
Networkd416745a-506c-48b6-8ab1-83cb814bcaa3Virtual machines should be connected to an approved virtual networkThis policy audits any virtual machine connected to a virtual network that is not approved. Default: Audit
Allowed: (Audit, Deny, Disabled)
2019-10-11 00:02:54
add: d416745a-506c-48b6-8ab1-83cb814bcaa3
Networkf1776c76-f58c-4245-a8d0-2b207198dc8bVirtual networks should use specified virtual network gatewayThis policy audits any virtual network if the default route does not point to the specified virtual network gateway. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-11 00:02:54
add: f1776c76-f58c-4245-a8d0-2b207198dc8b
Network2d21331d-a4c2-4def-a9ad-ee4e1e023bebApp Service should use a virtual network service endpointThis policy audits any App Service not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-11 00:02:54
add: 2d21331d-a4c2-4def-a9ad-ee4e1e023beb
Networkea4d6841-2173-4317-9747-ff522a45120fKey Vault should use a virtual network service endpointThis policy audits any Key Vault not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit, Disabled)
2019-10-11 00:02:54
add: ea4d6841-2173-4317-9747-ff522a45120f
Network60d21c4f-21a3-4d94-85f4-b924e6aeeda4Storage Accounts should use a virtual network service endpointThis policy audits any Storage Account not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit, Disabled)
2019-10-11 00:02:54
add: 60d21c4f-21a3-4d94-85f4-b924e6aeeda4
Networkc4857be7-912a-4c75-87e6-e30292bcdf78[Preview]: Container Registry should use a virtual network service endpointThis policy audits any Container Registry not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit, Disabled)
2019-10-11 00:02:54
add: c4857be7-912a-4c75-87e6-e30292bcdf78
Monitoringa70ca396-0a34-413a-88e1-b956c1e683beThe Log Analytics agent should be installed on virtual machinesThis policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-11 00:02:54
add: a70ca396-0a34-413a-88e1-b956c1e683be
Monitoringefbde977-ba53-4479-b8e9-10b957924fbfThe Log Analytics agent should be installed on Virtual Machine Scale SetsThis policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-11 00:02:54
add: efbde977-ba53-4479-b8e9-10b957924fbf
Network235359c5-7c52-4b82-9055-01c75cf9f60eService Bus should use a virtual network service endpointThis policy audits any Service Bus not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-11 00:02:54
add: 235359c5-7c52-4b82-9055-01c75cf9f60e
Networkd63edb4a-c612-454d-b47d-191a724fcbf0Event Hub should use a virtual network service endpointThis policy audits any Event Hub not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-11 00:02:54
add: d63edb4a-c612-454d-b47d-191a724fcbf0
Networkae5d2f14-d830-42b6-9899-df6cfe9c71a3SQL Server should use a virtual network service endpointThis policy audits any SQL Server not configured to use a virtual network service endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-11 00:02:54
add: ae5d2f14-d830-42b6-9899-df6cfe9c71a3
Networke0a2b1a3-f7f9-4569-807f-2a9edebdf4d9Cosmos DB should use a virtual network service endpointThis policy audits any Cosmos DB not configured to use a virtual network service endpoint. Default: Audit
Allowed: (Audit, Disabled)
2019-10-11 00:02:54
add: e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9
Generalc1b9cbed-08e3-427d-b9ce-7c535b1e9b94[Deprecated]: Allow resource creation only in Asia data centersAllows resource creation in the following locations only: East Asia, Southeast Asia, West India, South India, Central India, Japan East, Japan West Fixed: Deny
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in Asia data centers
General983211ba-f348-4758-983b-21fa29294869[Deprecated]: Allow resource creation only in United States data centersAllows resource creation in the following locations only: Central US, East US, East US2, North Central US, South Central US, West US Fixed: Deny
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in United States data centers
General94c19f19-8192-48cd-a11b-e37099d3e36b[Deprecated]: Allow resource creation only in European data centersAllows resource creation in the following locations only: North Europe, West Europe Fixed: Deny
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in European data centers
Tagscd8dc879-a2ae-43c3-8211-1877c5755064[Deprecated]: Allow resource creation if 'department' tag setAllows resource creation only if the 'department' tag is set Fixed: Deny
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation if 'department' tag set
Compute3d8640fc-63f6-4734-8dcb-cfd3d8c78f38[Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMsThis policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the selected Log Analytics workspace Fixed: deployIfNotExistsLog Analytics Contributor
2019-10-08 15:55:12
change: Previous DisplayName: Deploy default Log Analytics Agent for Ubuntu VMs
Tagsac7e5fc0-c029-4b12-91d4-a8500ce697f9[Deprecated]: Allow resource creation if 'environment' tag value in allowed valuesAllows resource creation if the 'environment' tag is set to one of the following values: production, dev, test, staging Fixed: Deny
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation if 'environment' tag value in allowed values
6fdb9205-3462-4cfc-87d8-16c7860b53f4 Fixed:
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in Japan data centers
e01598e8-6538-41ed-95e8-8b29746cd697 Fixed:
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in Japan data centers
Security Centerabcc6037-1fc4-47f6-aac5-89706589be24[Deprecated]: Automatic provisioning of security monitoring agentInstalls security agent on VMs for advanced security alerts and preventions in Azure Security Center. Applies only for subscriptions that use Azure Security Center. Fixed: AuditIfNotExists
2019-10-08 15:55:12
change: Previous DisplayName: Automatic provisioning of security monitoring agent
SQL06a78e20-9358-41c9-923c-fb736d382a12[Deprecated]: Audit SQL DB Level Audit SettingAudit DB level audit setting for SQL databases Fixed: AuditIfNotExists
2019-10-08 15:55:12
change: Previous DisplayName: Audit SQL DB Level Audit Setting
General5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54[Deprecated]: Allow resource creation only in India data centersAllows resource creation in the following locations only: West India, South India, Central India Fixed: Deny
2019-10-08 15:55:12
change: Previous DisplayName: Allow resource creation only in India data centers
SQLeb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3Log duration should be enabled for PostgreSQL database serversThis policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3
SQLeb6f77b9-bd53-4e35-a23d-7f65d5f0e43dLog checkpoints should be enabled for PostgreSQL database serversThis policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d
SQLeb6f77b9-bd53-4e35-a23d-7f65d5f0e442Log connections should be enabled for PostgreSQL database serversThis policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e442
SQL057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9Vulnerability Assessment settings for SQL server should contain an email address to receive scan reportsEnsure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-03 22:58:00
add: 057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9
SQLeb6f77b9-bd53-4e35-a23d-7f65d5f0e446Disconnections should be logged for PostgreSQL database servers.This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2019-10-03 22:58:00
add: eb6f77b9-bd53-4e35-a23d-7f65d5f0e446