last sync: 2021-Jul-23 16:37:57 UTC

Changes on Azure Policy definitions

Category Id DisplayName Description Effect Roles used Details (UTC ymd) (i)
SQL86a912f6-9a06-4e26-b447-11b16ba8659fDeploy SQL DB transparent data encryptionEnables transparent data encryption on SQL databases Fixed: DeployIfNotExistsSQL DB Contributor
2021-07-16 14:58:38
change: Major (1.0.0 > 2.0.0)
SQL17k78e20-9358-41c9-923c-fb736d382a12Transparent Data Encryption on SQL databases should be enabledTransparent data encryption should be enabled to protect data-at-rest and meet compliance requirements Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-07-16 14:58:38
change: Major (1.0.0 > 2.0.0)
Cache5d8094d7-7340-465a-b6fd-e60ab7e48920Configure Azure Cache for Redis with private endpointsPrivate endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Redis Cache Contributor
2021-07-15 16:24:53
add: 5d8094d7-7340-465a-b6fd-e60ab7e48920
Monitoringdddfa1af-dcd6-42f4-b5b0-e1db01e0b405Configure Azure Application Insights components to disable public network access for log ingestion and queryingDisable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Default: Modify
Allowed: (Modify, Disabled)
Application Insights Component Contributor
2021-07-15 16:24:53
change: Minor (1.0.0 > 1.1.0)
Security Center0961003e-5a0a-4549-abde-af6a37f2724dVirtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resourcesVirtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-07-15 16:24:53
change: Patch (2.0.0 > 2.0.1)
Cosmos DB862e97cf-49fc-4a5c-9de4-40d4e2e7c8ebAzure Cosmos DB accounts should have firewall rulesFirewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default: Deny
Allowed: (Audit, Deny, Disabled)
2021-07-15 16:24:53
change: Major (1.0.1 > 2.0.0)
Monitoringdddfa1af-dcd6-42f4-b5b0-e1db01e0b405Configure Azure Application Insights components to disable public network access for log ingestion and queryingDisable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Default: Modify
Allowed: (Modify, Disabled)
Application Insights Component Contributor
2021-07-07 15:26:31
add: dddfa1af-dcd6-42f4-b5b0-e1db01e0b405
Monitoringd3ba9c42-9dd5-441a-957c-274031c750c0Configure Azure Log Analytics workspaces to disable public network access for log ingestion and queryingImprove workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. Default: Modify
Allowed: (Modify, Disabled)

2021-07-07 15:26:31
add: d3ba9c42-9dd5-441a-957c-274031c750c0
Event Hub836cd60e-87f3-4e6a-a27c-29d687f01a4cEvent Hub namespaces should have double encryption enabledEnabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-07-07 15:26:31
add: 836cd60e-87f3-4e6a-a27c-29d687f01a4c
Media Services4a591bf5-918e-4a5f-8dad-841863140d61Azure Media Services should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-07-07 15:26:31
add: 4a591bf5-918e-4a5f-8dad-841863140d61
Storage044985bb-afe1-42cd-8a36-9d5d42424537Storage account keys should not be expiredEnsure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-07-07 15:26:31
change: Major (1.0.0 > 2.0.0)
Monitoring0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6Azure Monitor Private Link Scope should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-07-07 15:26:31
add: 0fc55270-f8bf-4feb-b7b8-5e7e7eacc6a6
Security Centerc3d20c29-b36d-48fe-808b-99a87530ad99Azure Defender for Resource Manager should be enabledAzure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-07-07 15:26:31
change: Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
Monitoringe8185402-357b-4768-8058-f620bc0ae6b5Configure Azure Monitor Private Link Scopes with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-07-07 15:26:31
add: e8185402-357b-4768-8058-f620bc0ae6b5
Service Busebaf4f25-a4e8-415f-86a8-42d9155bef0bService Bus namespaces should have double encryption enabledEnabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-07-07 15:26:31
add: ebaf4f25-a4e8-415f-86a8-42d9155bef0b
Media Servicesb4a7f6c1-585e-4177-ad5b-c2c93f4bb991Configure Azure Media Services to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Media Services account. Learn more at: https://aka.ms/mediaservicesprivatelinkdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-07-07 15:26:31
add: b4a7f6c1-585e-4177-ad5b-c2c93f4bb991
Media Servicesc5632066-946d-4766-9544-cd79bcc1286eConfigure Azure Media Services with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Media Services, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/mediaservicesprivatelinkdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Media Services Account Administrator
2021-07-07 15:26:31
add: c5632066-946d-4766-9544-cd79bcc1286e
App Service687aa49d-0982-40f8-bf6b-66d1da97a04bApp Service should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to App Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-07-07 15:26:31
add: 687aa49d-0982-40f8-bf6b-66d1da97a04b
Monitoring437914ee-c176-4fff-8986-7e05eb971365Configure Azure Monitor Private Link Scope to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-07-07 15:26:31
add: 437914ee-c176-4fff-8986-7e05eb971365
App Service546fe8d2-368d-4029-a418-6af48a7f61e5App Service apps should use a SKU that supports private linkWith supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-07-07 15:26:31
add: 546fe8d2-368d-4029-a418-6af48a7f61e5
Cosmos DBdc2d41d1-4ab1-4666-a3e1-3d51c43e0049Configure Cosmos DB database accounts to disable local authenticationDisable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default: Modify
Allowed: (Modify, Disabled)
DocumentDB Account Contributor
2021-07-07 15:26:31
add: dc2d41d1-4ab1-4666-a3e1-3d51c43e0049
Cosmos DB5450f5bd-9c72-4390-a9c4-a7aba4edfdd2Cosmos DB database accounts should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-07-07 15:26:31
add: 5450f5bd-9c72-4390-a9c4-a7aba4edfdd2
Network235359c5-7c52-4b82-9055-01c75cf9f60e[Deprecated]: Service Bus should use a virtual network service endpointThis policy audits any Service Bus not configured to use a virtual network service endpoint. The resource type Microsoft.ServiceBus/namespaces/virtualNetworkRules is deprecated in the latest API version. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-22 14:29:30
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
App Serviceb318f84a-b872-429b-ac6d-a01b96814452Configure App Services to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links a virtual network to an App Service. Learn more at: https://docs.microsoft.com/azure/app-service/networking/private-endpoint#dns. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-06-22 14:29:30
add: b318f84a-b872-429b-ac6d-a01b96814452
App Serviceeb4d34ab-0929-491c-bbf3-61e13da19f9aApp Service Environment should be provisioned with latest versionsOnly allow App Service Environment version 2 or version 3 to be provisioned. Older versions of App Service Environment require manual management of Azure resources and have greater scaling limitations. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-06-22 14:29:30
add: eb4d34ab-0929-491c-bbf3-61e13da19f9a
App Service72d04c29-f87d-4575-9731-419ff16a2757App Service Apps should be injected into a virtual networkInjecting App Service Apps in a virtual network unlocks advanced App Service networking and security features and provides you with greater control over your network security configuration. Learn more at: https://docs.microsoft.com/azure/app-service/web-sites-integrate-with-vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-06-22 14:29:30
add: 72d04c29-f87d-4575-9731-419ff16a2757
Security Center5f8eb305-9c9f-4abe-9bb0-df220d9faba2[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agentConfigure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-06-22 14:29:30
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
App Service81dff7c0-4020-4b58-955d-c076a2136b56Configure App Services to disable public network accessDisable public network access for your App Services so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/app-service-private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Website Contributor
2021-06-22 14:29:30
add: 81dff7c0-4020-4b58-955d-c076a2136b56
App Service2d048aca-6479-4923-88f5-e2ac295d9af3App Service Environment apps should not be reachable over public internetTo ensure apps deployed in an App Service Environment are not accessible over public internet, one should deploy App Service Environment with an IP address in virtual network. To set the IP address to a virtual network IP, the App Service Environment must be deployed with an internal load balancer. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-06-22 14:29:30
add: 2d048aca-6479-4923-88f5-e2ac295d9af3
App Serviced79ab062-dffd-4318-8344-f70de714c0bc[Deprecated]: App Service should disable public network accessDisabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. Default: Audit
Allowed: (Audit, Disabled)
2021-06-22 14:29:30
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
Key Vault951af2fa-529b-416e-ab6e-066fd85ac459Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspaceDeploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-06-22 14:29:30
change: Patch (1.0.0 > 1.0.1)
Security Center8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28[Preview]: Configure machines to automatically create the Azure Security Center pipeline for Azure Monitor AgentConfigure machines to automatically create the Azure Security Center pipeline for Azure Monitor Agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and Log Analytics workspace in the same region as the machine to store audit records. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-06-22 14:29:30
add: 8b5ad9ab-3d44-4a6e-9ac3-75b04ea5fd28
Monitoring199d5677-e4d9-4264-9465-efe1839c06bdApplication Insights components should block non-Azure Active Directory based ingestion.Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. Default: Audit
Allowed: (Deny, Audit, Disabled)
2021-06-22 14:29:30
add: 199d5677-e4d9-4264-9465-efe1839c06bd
Security Center1537496a-b1e8-482b-a06a-1cc2415cdc7b[Preview]: Configure supported Windows machines to automatically install the Azure Security agentConfigure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-06-22 14:29:30
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Monitoringe15effd4-2278-4c65-a0da-4d6f6d1890e2Log Analytics Workspaces should block non-Azure Active Directory based ingestion.Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. Default: Audit
Allowed: (Deny, Audit, Disabled)
2021-06-22 14:29:30
add: e15effd4-2278-4c65-a0da-4d6f6d1890e2
App Service63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7App Services should disable public network accessDisabling public network access improves security by ensuring that the App Service is not exposed on the public internet. Creating private endpoints can limit exposure of an App Service. Learn more at: https://aka.ms/app-service-private-endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-22 14:29:30
add: 63a0ac64-5d5f-4569-8a3d-df67cc1ce9d7
App Service91a78b24-f231-4a8a-8da9-02c35b2b6510Resource logs in App Services should be enabledAudit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-22 14:29:30
change: Major (2.0.0 > 1.0.0)
App Service817dcf37-e83d-4999-a472-644eada2ea1eApp Service Environment should be configured with strongest TLS Cipher suitesThe two most minimal and strongest cipher suites required for App Service Environment to function correctly are : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Default: Audit
Allowed: (Audit, Disabled)
2021-06-22 14:29:30
add: 817dcf37-e83d-4999-a472-644eada2ea1e
Storage8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54Storage accounts should prevent shared key accessAudit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-06-22 14:29:30
add: 8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54
Monitoring0c4bd2e8-8872-4f37-a654-03f6f38ddc76Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger.To support private link and customer-managed key policies, create your own storage account for profiler and debugger. Learn more in https://docs.microsoft.com/azure/azure-monitor/app/profiler-bring-your-own-storage Default: Audit
Allowed: (Deny, Audit, Disabled)
2021-06-22 14:29:30
add: 0c4bd2e8-8872-4f37-a654-03f6f38ddc76
Monitoring8e3e61b3-0b32-22d5-4edf-55f87fdb5955Configure Log Analytics workspace and automation account to centralize logs and monitoringDeploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, AuditIfNotExists, Disabled)
Contributor
2021-06-22 14:29:30
add: 8e3e61b3-0b32-22d5-4edf-55f87fdb5955
Data Lake057ef27e-665e-4328-8ea3-04b3122bd9fbResource logs in Azure Data Lake Store should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-17 14:24:41
change: Major (4.0.1 > 5.0.0)
Searchb4330a05-a843-4bc8-bf9a-cacce50c67f4Resource logs in Search services should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-17 14:24:41
change: Major (4.0.1 > 5.0.0)
Service Busf8d36e2f-389b-4ee4-898d-21aeb69a0f45Resource logs in Service Bus should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-17 14:24:41
change: Major (4.0.1 > 5.0.0)
Logic Apps34f95f76-5386-4de7-b824-0d8478470c9dResource logs in Logic Apps should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-17 14:24:41
change: Major (4.0.1 > 5.0.0)
Event Hub83a214f7-d01a-484b-91a9-ed54470c9a6aResource logs in Event Hub should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-17 14:24:41
change: Major (4.0.1 > 5.0.0)
Key Vaultcf820ca0-f99e-4f3e-84fb-66e913812d21Resource logs in Key Vault should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-17 14:24:41
change: Major (4.0.1 > 5.0.0)
Stream Analyticsf9be5368-9bf5-4b84-9e0a-7850da98bb46Resource logs in Azure Stream Analytics should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-17 14:24:41
change: Major (4.0.1 > 5.0.0)
Batch428256e6-1fac-4f48-a757-df34c2b3336dResource logs in Batch accounts should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-17 14:24:41
change: Major (4.0.1 > 5.0.0)
Data Lakec95c74d9-38fe-4f0d-af86-0c7d626a315cResource logs in Data Lake Analytics should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-17 14:24:41
change: Major (4.0.1 > 5.0.0)
App Service91a78b24-f231-4a8a-8da9-02c35b2b6510Resource logs in App Services should be enabledAudit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-17 14:24:41
change: Major (1.0.0 > 2.0.0)
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-06-15 14:05:41
change: Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0)
Container Registrydc921057-6b28-4fbe-9b83-f7bec05db6c2Container registries should have local authentication methods disabled.Disabling local authentication methods improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/acr/authentication. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-06-15 14:05:41
add: dc921057-6b28-4fbe-9b83-f7bec05db6c2
Container Registry79fdfe03-ffcb-4e55-b4d0-b925b8241759Configure container registries to disable local authentication.Disable local authentication so that your container registries exclusively require Azure Active Directory identities for authentication. Learn more about at: https://aka.ms/acr/authentication. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-06-15 14:05:41
add: 79fdfe03-ffcb-4e55-b4d0-b925b8241759
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-06-15 14:05:41
change: Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0)
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-06-15 14:05:41
change: Version remains equal, old suffix: preview (3.0.0-preview > 3.0.0)
SQLabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9Azure Defender for SQL should be enabled for unprotected SQL Managed InstancesAudit each SQL Managed Instance without advanced data security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-08 15:17:13
change: Patch (1.0.1 > 1.0.2)
Security Center95406fc3-1f69-47b0-8105-4c03b276ec5c[Preview]: Configure supported Linux virtual machines to automatically enable Secure BootConfigure supported Linux virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-06-08 15:17:13
add: 95406fc3-1f69-47b0-8105-4c03b276ec5c
Key Vault55615ac9-af46-4a59-874e-391cc3dfb490[Preview]: Azure Key Vault should disable public network accessDisable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-06-08 15:17:13
change: Major, suffix remains equal (1.1.0-preview > 2.0.0-preview)
SQL6134c3db-786f-471e-87bc-8f479dc890f6Deploy Advanced Data Security on SQL serversThis policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. Fixed: DeployIfNotExistsSQL Security Manager
Storage Account Contributor
2021-06-08 15:17:13
change: Minor (1.1.0 > 1.2.0)
Security Centere494853f-93c3-4e44-9210-d12f61a64b34[Preview]: Configure supported virtual machines to automatically enable vTPMConfigure supported virtual machines to automatically enable vTPM to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-06-08 15:17:13
add: e494853f-93c3-4e44-9210-d12f61a64b34
SQLabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9Azure Defender for SQL should be enabled for unprotected Azure SQL serversAudit SQL servers without Advanced Data Security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-08 15:17:13
change: Patch (2.0.0 > 2.0.1)
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Kubernetes cluster services should listen only on allowed portsRestrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-06-08 15:17:13
change: Patch (6.1.0 > 6.1.1)
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcKubernetes cluster containers should only listen on allowed portsRestrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-06-08 15:17:13
change: Patch (6.1.0 > 6.1.1)
Key Vault1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dKey vaults should have soft delete enabledDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-06-08 15:17:13
change: Major (1.0.2 > 2.0.0)
Security Center7cb1b219-61c6-47e0-b80c-4472cadeeb5f[Preview]: Configure supported Windows virtual machines to automatically enable Secure BootConfigure supported Windows virtual machines to automatically enable Secure Boot to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-06-08 15:17:13
add: 7cb1b219-61c6-47e0-b80c-4472cadeeb5f
Key Vault0b60c0b2-2dc2-4e1c-b5c9-abbed971de53Key vaults should have purge protection enabledMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-06-08 15:17:13
change: Major (1.1.1 > 2.0.0)
Security Center1537496a-b1e8-482b-a06a-1cc2415cdc7b[Preview]: Configure supported Windows machines to automatically install the Azure Security agentConfigure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-06-02 22:44:52
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Networkb6e2945c-0b7b-40f5-9233-7a5323b5cdc6Network Watcher should be enabledNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-02 22:44:52
change: Major (2.0.0 > 3.0.0)
App Configuration72bc14af-4ab8-43af-b4e4-38e7983f9a1fConfigure App Configuration stores to disable local authentication methodsDisable local authentication methods so that your App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-06-02 22:44:52
add: 72bc14af-4ab8-43af-b4e4-38e7983f9a1f
Monitoringca817e41-e85a-4783-bc7f-dc532d36235eConfigure Windows virtual machines with Azure Monitor AgentDeploy Azure Monitor Agent for Windows virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed. The list of OS images is updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-06-02 22:44:52
change: Major (1.0.0 > 2.0.0)
Monitoring17b3de92-f710-4cf4-aa55-0e7859f1ed7b[ASC Private Preview] Configure system-assigned managed identity to enable Azure Monitor assignments on VMs[ASC Private Preview] Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor that do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default: Modify
Allowed: (Modify, Disabled)
Virtual Machine Contributor
2021-06-02 22:44:52
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Cognitive Services14de9e63-1b31-492e-a5a3-c3f7fd57f555Configure Cognitive Services accounts to disable local authentication methodsDisable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-06-02 22:44:52
add: 14de9e63-1b31-492e-a5a3-c3f7fd57f555
Security Center2ada9901-073c-444a-9a9a-91865174f0aa[Preview]: Configure Azure Defender for SQL agent on virtual machineConfigure Windows machines to automatically install the Azure Defender for SQL agent where the Azure Monitor Agent is installed. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-06-02 22:44:52
add: 2ada9901-073c-444a-9a9a-91865174f0aa
App Configurationb08ab3ca-1062-4db3-8803-eec9cae605d6App Configuration stores should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that App Configuration stores require Azure Active Directory identities exclusively for authentication. Learn more at: https://go.microsoft.com/fwlink/?linkid=2161954. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-06-02 22:44:52
add: b08ab3ca-1062-4db3-8803-eec9cae605d6
Security Center15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554Log Analytics agent should be installed on your Cloud Services (extended support) role instancesSecurity Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-06-02 22:44:52
change: Major (1.0.0 > 2.0.0)
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626[Preview]: Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-06-02 22:44:52
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)
Cognitive Services71ef260a-8f18-47b7-abcb-62d0673d94dcCognitive Services accounts should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/cs/auth. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-06-02 22:44:52
add: 71ef260a-8f18-47b7-abcb-62d0673d94dc
Monitoring2ea82cdd-f2e8-4500-af75-67a2e084ca74Configure Association to link Linux virtual machines to Data Collection RuleDeploy Association to link Linux virtual machine to specified Data Collection Rule. The list of OS images is updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2021-05-26 13:43:16
add: 2ea82cdd-f2e8-4500-af75-67a2e084ca74
Monitoring94c1f94d-33b0-4062-bd04-1cdc3e7eece2Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keysEnsure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. Default: Audit
Allowed: (Audit, Disabled, Deny)
2021-05-26 13:43:16
add: 94c1f94d-33b0-4062-bd04-1cdc3e7eece2
Web PubSub52630df9-ca7e-442b-853b-c6ce548b31a2Azure Web PubSub Service should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-26 13:43:16
add: 52630df9-ca7e-442b-853b-c6ce548b31a2
Security Centerb1bb3592-47b8-4150-8db0-bfdcc2c8965b[Preview]: Linux virtual machines should use Secure BootTo protect against the installation of malware-based rootkits and boot kits, enable Secure Boot on supported Linux virtual machines. Secure Boot ensures that only signed operating systems and drivers will be allowed to run. This assessment only applies to Linux virtual machines that have the Azure Monitor Agent installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-26 13:43:16
add: b1bb3592-47b8-4150-8db0-bfdcc2c8965b
Monitoringa4034bc6-ae50-406d-bf76-50f4ee5a7811Configure Linux virtual machines with Azure Monitor AgentDeploy Azure Monitor Agent for Linux virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed. The list of OS images is updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-05-26 13:43:16
change: Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
Security Centerf6358610-e532-4236-b178-4c65865eb262[Preview]: Virtual machines guest attestation status should be healthyGuest attestation is performed by sending a trusted log (TCGLog) to an attestation server. The server uses these logs to determine whether boot components are trustworthy. This assessment is intended to detect compromises of the boot chain which might be the result of a bootkit or rootkit infection. This assessment only applies to Trusted Launch enabled virtual machines that have Guest Attestation extension installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-26 13:43:16
add: f6358610-e532-4236-b178-4c65865eb262
App Serviced79ab062-dffd-4318-8344-f70de714c0bc[Deprecated]: App Service should disable public network accessDisabling public network access improves security by ensuring that the app service is not exposed on the public internet. Creating private endpoints can limit exposure of the app service. Learn more at: https://aka.ms/app-service-private-endpoint. Default: Audit
Allowed: (Audit, Disabled)
2021-05-26 13:43:16
add: d79ab062-dffd-4318-8344-f70de714c0bc
Kubernetes708b60a6-d253-4fe0-9114-4be4c00f012c[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Azure Defender's extensionAzure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
Log Analytics Contributor
2021-05-26 13:43:16
add: 708b60a6-d253-4fe0-9114-4be4c00f012c
Monitoringca817e41-e85a-4783-bc7f-dc532d36235eConfigure Windows virtual machines with Azure Monitor AgentDeploy Azure Monitor Agent for Windows virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed. The list of OS images is updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-05-26 13:43:16
change: Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
Web PubSub0b026355-49cb-467b-8ac4-f777874e175aConfigure Azure Web PubSub Service to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-05-26 13:43:16
add: 0b026355-49cb-467b-8ac4-f777874e175a
Web PubSubbf45113f-264e-4a87-88f9-29ac8a0aca6aAzure Web PubSub Service should disable public network accessDisabling public network access improves security by ensuring that Azure Web PubSub service isn't exposed on the public internet. Creating private endpoints can limit exposure of Azure Web PubSub service. Learn more at: https://aka.ms/awps/networkacls. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-26 13:43:16
add: bf45113f-264e-4a87-88f9-29ac8a0aca6a
Kubernetes8dfab9c4-fe7b-49ad-85e4-1e9be085358f[Preview]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installedAzure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-26 13:43:16
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Web PubSub1b9c0b58-fc7b-42c8-8010-cdfa1d1b8544Configure Azure Web PubSub Service with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
SignalR Contributor
2021-05-26 13:43:16
add: 1b9c0b58-fc7b-42c8-8010-cdfa1d1b8544
SQL18adea5e-f416-4d0f-8aa8-d24321e3e274PostgreSQL servers should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-26 13:43:16
change: Patch (1.0.3 > 1.0.4)
Site Recovery942bd215-1a66-44be-af65-6a1c0318dbe2[Preview]: Configure Azure Recovery Services vaults to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Recovery Services Vaults. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-05-26 13:43:16
add: 942bd215-1a66-44be-af65-6a1c0318dbe2
Web PubSub82909236-25f3-46a6-841c-fe1020f95ae1Azure Web PubSub Service should use a SKU that supports private linkWith supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Web PubSub service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-26 13:43:16
add: 82909236-25f3-46a6-841c-fe1020f95ae1
Monitoringeab1f514-22e3-42e3-9a1f-e1dc9199355cConfigure Association to link Windows virtual machines to Data Collection RuleDeploy Association to link Windows virtual machines to specified Data Collection Rule. The list of OS images is updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
2021-05-26 13:43:16
add: eab1f514-22e3-42e3-9a1f-e1dc9199355c
Site Recovery11e3da8c-1d68-4392-badd-0ff3c43ab5b0[Preview]: Recovery Services vaults should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links for Azure Site Recovery at: https://aka.ms/HybridScenarios-PrivateLink and https://aka.ms/AzureToAzure-PrivateLink. Default: Audit
Allowed: (Audit, Disabled)
2021-05-26 13:43:16
add: 11e3da8c-1d68-4392-badd-0ff3c43ab5b0
Backupaf783da1-4ad1-42be-800d-d19c70038820[Preview]: Configure Recovery Services vaults to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Recovery Services vault. Learn more at: https://aka.ms/AB-PrivateEndpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-05-26 13:43:16
add: af783da1-4ad1-42be-800d-d19c70038820
Guest Configuration3e4e2bd5-15a2-4628-b3e1-58977e9793f3Audit Windows machines that do not have the specified Windows PowerShell modules installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-26 13:43:16
change: Major (1.0.0 > 2.0.0)
SQL83cef61d-dbd1-4b20-a4fc-5fbc7da10833MySQL servers should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-26 13:43:16
change: Patch (1.0.3 > 1.0.4)
Site Recoverye95a8a5c-0987-421f-84ab-df4d88ebf7d1[Preview]: Configure private endpoints on Azure Recovery Services vaultsPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your site recovery resources of Recovery Services vaults, you can reduce data leakage risks. To use private links, managed service identity must be assigned to Recovery Services Vaults. Learn more about private links at: https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Site Recovery Contributor
2021-05-26 13:43:16
add: e95a8a5c-0987-421f-84ab-df4d88ebf7d1
Web PubSub5b1213e4-06e4-4ccc-81de-4201f2f7131aConfigure Azure Web PubSub Service to disable public network accessDisable public network access for your Azure Web PubSub resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/awps/networkacls. Default: Modify
Allowed: (Modify, Disabled)
SignalR Contributor
2021-05-26 13:43:16
add: 5b1213e4-06e4-4ccc-81de-4201f2f7131a
Network2f080164-9f4d-497e-9db6-416dc9f7b48aNetwork Watcher flow logs should have traffic analytics enabledTraffic analytics analyzes Network Watcher network security group flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more. Default: Audit
Allowed: (Audit, Disabled)
2021-05-18 14:34:48
add: 2f080164-9f4d-497e-9db6-416dc9f7b48a
Monitoringf47b5582-33ec-4c5c-87c0-b010a6b2e917Virtual machines should be connected to a specified workspaceReports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-18 14:34:48
change: Minor (1.0.1 > 1.1.0)
Guest Configurationf79fef0d-0050-4c18-a303-5babb9c14ac7Windows machines should only have local accounts that are allowedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-18 14:34:48
add: f79fef0d-0050-4c18-a303-5babb9c14ac7
Media Servicese9914afe-31cd-4b8a-92fa-c887f847d477Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patternsRestrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property. Default: Deny
Allowed: (Deny, Disabled)
2021-05-18 14:34:48
change: Patch (1.0.0 > 1.0.1)
Azure Active Directory3aa87b5a-7813-4b57-8a43-42dd9df5aaa7Azure Active Directory Domain Services managed domains should use TLS 1.2 only modeUse TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-18 14:34:48
change: Minor (1.0.0 > 1.1.0)
Synapse5c8cad01-ef30-4891-b230-652dadb4876aConfigure Azure Synapse workspaces to disable public network accessDisable public network access for your Synapse workspace so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-05-18 14:34:48
add: 5c8cad01-ef30-4891-b230-652dadb4876a
Media Servicesccf93279-9c91-4143-a841-8d1f21505455Azure Media Services accounts that allow access to the legacy v2 API should be blockedThe Media Services legacy v2 API allows requests that cannot be managed using Azure Policy. Media Services resources created using the 2020-05-01 API or later block access to the legacy v2 API. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-18 14:34:48
add: ccf93279-9c91-4143-a841-8d1f21505455
Synapse38d8df46-cf4e-4073-8e03-48c24b29de0dAzure Synapse workspaces should disable public network accessDisabling public network access improves security by ensuring that the Synapse workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of your Synapse workspaces. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/connectivity-settings. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-18 14:34:48
add: 38d8df46-cf4e-4073-8e03-48c24b29de0d
Networke920df7f-9a64-4066-9b58-52684c02a091Configure network security groups to enable traffic analyticsTraffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-05-18 14:34:48
add: e920df7f-9a64-4066-9b58-52684c02a091
Guest Configuration73db37c4-f180-4b0f-ab2c-8ee96467686bLinux machines should only have local accounts that are allowedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-18 14:34:48
add: 73db37c4-f180-4b0f-ab2c-8ee96467686b
Network5e1cd26a-5090-4fdb-9d6a-84a90335e22dConfigure network security groups to use specific workspace for traffic analyticsIf it already has traffic analytics enabled, then policy will overwrite its existing settings with the ones provided during policy creation. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-05-18 14:34:48
add: 5e1cd26a-5090-4fdb-9d6a-84a90335e22d
Media Servicesdaccf7e4-9808-470c-a848-1c5b582a1afbAzure Media Services content key policies should use token authenticationContent key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Azure Active Directory. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-18 14:34:48
add: daccf7e4-9808-470c-a848-1c5b582a1afb
Media Servicesa77d8bb4-8d22-4bc1-a884-f582a705b480Azure Media Services accounts should use an API that supports Private LinkMedia Services accounts should be created with an API that supports private link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-18 14:34:48
add: a77d8bb4-8d22-4bc1-a884-f582a705b480
Computebc05b96c-0b36-4ca9-82f0-5c53f96ce05aConfigure disk access resources to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to a managed disk. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-05-11 14:06:18
add: bc05b96c-0b36-4ca9-82f0-5c53f96ce05a
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2021-05-11 14:06:18
change: Patch (1.0.0 > 1.0.1)
Storage044985bb-afe1-42cd-8a36-9d5d42424537Storage account keys should not be expiredEnsure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-11 14:06:18
add: 044985bb-afe1-42cd-8a36-9d5d42424537
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2021-05-11 14:06:18
change: Patch (1.0.0 > 1.0.1)
SQL80ed5239-4122-41ed-b54a-6f1fa7552816Configure Advanced Threat Protection to be enabled on Azure database for MySQL serversEnable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-05-11 14:06:18
add: 80ed5239-4122-41ed-b54a-6f1fa7552816
Machine Learninge96a9a5f-07ca-471b-9bc5-6a0f33cbd68fMachine Learning computes should have local authentication methods disabledDisabling local authentication methods improves security by ensuring that Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-11 14:06:18
add: e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f
SQL9a7c7a7d-49e5-4213-bea8-6a502b6272e0Deploy Diagnostic Settings for Azure SQL Database to Event HubDeploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. Fixed: DeployIfNotExistsContributor
2021-05-11 14:06:18
change: Minor (1.1.0 > 1.2.0)
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Kubernetes cluster should not allow privileged containersDo not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-05-11 14:06:18
change: Major (6.0.0 > 7.0.0)
Guest Configuration5752e6d6-1206-46d8-8ab1-ecc2f71a8112Windows web servers should be configured to use secure communication protocolsTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-11 14:06:18
change: Major (2.1.0 > 3.0.0)
Monitoring41388f1c-2db0-4c25-95b2-35d7f5ccbfa9Azure Monitor should collect activity logs from all regionsThis policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-11 14:06:18
change: Major (1.0.0 > 2.0.0)
SQLdb048e65-913c-49f9-bb5f-1084184671d3Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL serversEnable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-05-11 14:06:18
add: db048e65-913c-49f9-bb5f-1084184671d3
Machine Learninga6f9a2d0-cff7-4855-83ad-4cd750666512Configure Machine Learning computes to disable local authentication methodsDisable location authentication methods so that your Machine Learning computes require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/azure-ml-aad-policy. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-05-11 14:06:18
add: a6f9a2d0-cff7-4855-83ad-4cd750666512
Guest Configuration72650e9f-97bc-4b2a-ab5f-9781a9fcecbc[Preview]: Windows machines should meet requirements of the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-11 14:06:18
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Data Factory0088bc63-6dee-4a9c-9d29-91cfdc848952SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual networkAzure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-11 14:06:18
change: Major (1.0.0 > 2.0.0)
Guest Configurationfc9b3da7-8347-4380-8e70-0a0361d8dedd[Preview]: Linux machines should meet requirements for the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-11 14:06:18
change: Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)
SQLa6cf7411-da9e-49e2-aec0-cba0250eaf8cConfigure Advanced Threat Protection to be enabled on Azure database for MariaDB serversEnable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-05-11 14:06:18
add: a6cf7411-da9e-49e2-aec0-cba0250eaf8c
Monitoring1bc02227-0cb6-4e11-8f53-eb0b22eab7e8Application Insights components should block log ingestion and querying from public networksImprove Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. Default: audit
Allowed: (audit, deny, disabled)
2021-05-11 14:06:18
add: 1bc02227-0cb6-4e11-8f53-eb0b22eab7e8
Monitoring6c53d030-cc64-46f0-906d-2bc061cd1334Log Analytics workspaces should block log ingestion and querying from public networksImprove workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. Default: audit
Allowed: (audit, deny, disabled)
2021-05-11 14:06:18
add: 6c53d030-cc64-46f0-906d-2bc061cd1334
Security Center672fe5a1-2fcd-42d7-b85d-902b6e28c6ff[Preview]: Guest Attestation extension should be installed on supported Linux virtual machinesInstall Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-04 14:34:06
add: 672fe5a1-2fcd-42d7-b85d-902b6e28c6ff
Security Centerf655e522-adff-494d-95c2-52d4f6d56a42[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale setsInstall Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-04 14:34:06
add: f655e522-adff-494d-95c2-52d4f6d56a42
Media Servicese9914afe-31cd-4b8a-92fa-c887f847d477Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patternsRestrict HTTPS inputs used by Media Services jobs to known endpoints. Inputs from HTTPS endpoints can be disabled entirely by setting an empty list of allowed job input patterns. Where job inputs specify a 'baseUri' the patterns will be matched against this value; when 'baseUri' is not set, the pattern is matched against the 'files' property. Default: Deny
Allowed: (Deny, Disabled)
2021-05-04 14:34:06
add: e9914afe-31cd-4b8a-92fa-c887f847d477
Security Centerc9b2ae08-09e2-4f0e-bb43-b60bf0135bdf[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extensionConfigure supported Windows virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-05-04 14:34:06
add: c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf
Security Center5f8eb305-9c9f-4abe-9bb0-df220d9faba2[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agentConfigure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-05-04 14:34:06
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Security Center1cb4d9c2-f88f-4069-bee0-dba239a57b09[Preview]: Guest Attestation extension should be installed on supported Windows virtual machinesInstall Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-04 14:34:06
add: 1cb4d9c2-f88f-4069-bee0-dba239a57b09
Security Centera21f8c92-9e22-4f09-b759-50500d1d2dda[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale setsInstall Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-04 14:34:06
add: a21f8c92-9e22-4f09-b759-50500d1d2dda
Security Center1c30f9cd-b84c-49cc-aa2c-9288447cc3b3[Preview]: vTPM should be enabled on supported virtual machinesEnable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. Default: Audit
Allowed: (Audit, Disabled)
2021-05-04 14:34:06
add: 1c30f9cd-b84c-49cc-aa2c-9288447cc3b3
Security Center5a913c68-0590-402c-a531-e57e19379da3[Deprecated]: Operating system version should be the most current version for your cloud service rolesKeeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-04 14:34:06
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
Security Center97566dd7-78ae-4997-8b36-1c7bfe0d8121[Preview]: Secure Boot should be enabled on supported Windows virtual machinesEnable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines. Default: Audit
Allowed: (Audit, Disabled)
2021-05-04 14:34:06
add: 97566dd7-78ae-4997-8b36-1c7bfe0d8121
App Service1bc1795e-d44a-4d48-9b3b-6fff0fd5f9baEnsure that 'PHP version' is the latest, if used as a part of the API appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-04 14:34:06
change: Minor (2.0.0 > 2.1.0)
Security Center13ce0167-8ca6-4048-8e6b-f996402e3c1b[Preview]: Configure machines to receive a vulnerability assessment agentAzure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment agent to all supported machines that don't already have it installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-05-04 14:34:06
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)
Storageb5ec538c-daa0-4006-8596-35468b9148e8Storage account encryption scopes should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about storage account encryption scopes at https://aka.ms/encryption-scopes-overview. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-04 14:34:06
add: b5ec538c-daa0-4006-8596-35468b9148e8
Security Center6074e9a3-c711-4856-976d-24d51f9e065b[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extensionConfigure supported Linux virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-05-04 14:34:06
add: 6074e9a3-c711-4856-976d-24d51f9e065b
App Serviced6545c6b-dd9d-4265-91e6-0b451e2f1c50App Service Environment should disable TLS 1.0 and 1.1TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-05-04 14:34:06
change: Major (1.0.0 > 2.0.0)
Bot Service52152f42-0dda-40d9-976e-abb1acdd611eBot Service should have isolated mode enabledBots should be set to 'isolated only' mode. This setting configures Bot Service channels that require traffic over the public internet to be disabled. Default: audit
Allowed: (audit, deny, disabled)
2021-05-04 14:34:06
add: 52152f42-0dda-40d9-976e-abb1acdd611e
Security Center98ea2fc7-6fc6-4fd1-9d8d-6331154da071[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extensionConfigure supported Windows virtual machines to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-05-04 14:34:06
add: 98ea2fc7-6fc6-4fd1-9d8d-6331154da071
Security Center57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extensionConfigure supported Linux virtual machines scale sets to automatically install the Guest Attestation extension to allow Azure Security Center to proactively attest and monitor the boot integrity. Boot integrity is attested via Remote Attestation. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-05-04 14:34:06
add: 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e
App Service7261b898-8a84-4db8-9e04-18527132abb3Ensure that 'PHP version' is the latest, if used as a part of the WEB appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-05-04 14:34:06
change: Minor (2.0.0 > 2.1.0)
Monitoring17b3de92-f710-4cf4-aa55-0e7859f1ed7b[ASC Private Preview] Configure system-assigned managed identity to enable Azure Monitor assignments on VMs[ASC Private Preview] Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor that do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default: Modify
Allowed: (Modify, Disabled)
Virtual Machine Contributor
2021-05-04 14:34:06
change: Major, suffix remains equal (1.2.0-preview > 2.0.0-preview)
Monitoring91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4Configure Dependency agent on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-04-27 15:38:15
change: Patch (1.2.0 > 1.2.1)
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on virtual machines without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-04-27 15:38:15
change: Major (2.0.0 > 3.0.0)
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-04-27 15:38:15
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Security Center4df26ba8-026d-45b0-9521-bffa44d741d2Cloud Services (extended support) role instances should have system updates installedSecure your Cloud Services (extended support) role instances by ensuring the latest security and critical updates are installed on them. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-04-27 15:38:15
add: 4df26ba8-026d-45b0-9521-bffa44d741d2
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-04-27 15:38:15
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Monitoringdeacecc0-9f84-44d2-bb82-46f32d766d43Configure Dependency agent on Azure Arc enabled Linux serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-04-27 15:38:15
change: Minor, old suffix: preview (1.1.0-preview > 1.2.0)
App Serviced6545c6b-dd9d-4265-91e6-0b451e2f1c50App Service Environment should disable TLS 1.0 and 1.1TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms. Disabling inbound TLS 1.0 and 1.1 traffic helps secure apps in an App Service Environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-04-27 15:38:15
add: d6545c6b-dd9d-4265-91e6-0b451e2f1c50
Security Centera0c11ca4-5828-4384-a2f2-fd7444dd5b4dCloud Services (extended support) role instances should be configured securelyProtect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-04-27 15:38:15
add: a0c11ca4-5828-4384-a2f2-fd7444dd5b4d
Monitoring9d2b61b4-1d14-4a63-be30-d4498e7ad2cfConfigure Log Analytics agent on Azure Arc enabled Linux serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-04-27 15:38:15
change: Minor, old suffix: preview (1.1.0-preview > 1.2.0)
SQL6134c3db-786f-471e-87bc-8f479dc890f6Deploy Advanced Data Security on SQL serversThis policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. Fixed: DeployIfNotExistsSQL Security Manager
Storage Account Contributor
2021-04-27 15:38:15
change: Minor (1.0.0 > 1.1.0)
App Servicefb74e86f-d351-4b8d-b034-93da7391c01fApp Service Environment should enable internal encryptionSetting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment. To learn more, refer to https://docs.microsoft.com/azure/app-service/environment/app-service-app-service-environment-custom-settings#enable-internal-encryption. Default: Audit
Allowed: (Audit, Disabled)
2021-04-27 15:38:15
add: fb74e86f-d351-4b8d-b034-93da7391c01f
SQL7ea8a143-05e3-4553-abfe-f56bef8b0b70Configure Azure SQL database servers diagnostic settings to Log Analytics workspaceEnables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL Security Manager
Log Analytics Contributor
2021-04-27 15:38:15
change: Patch (1.0.1 > 1.0.2)
App Service33228571-70a4-4fa1-8ca1-26d0aba8d6efApp Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual NetworkBy default, if one uses regional Azure Virtual Network (VNET) integration, the app only routes RFC1918 traffic into that respective virtual network. Using the API to set 'vnetRouteAllEnabled' to true enables all outbound traffic into the Azure Virtual Network. This setting allows features like network security groups and user defined routes to be used for all outbound traffic from the App Service app. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-04-27 15:38:15
add: 33228571-70a4-4fa1-8ca1-26d0aba8d6ef
Automanage270610db-8c04-438a-a739-e8e6745b22d3Configure virtual machines to be onboarded to Azure AutomanageAzure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-04-27 15:38:15
change: Minor (4.0.0 > 4.1.0)
SQLb219b9cf-f672-4f96-9ab0-f5a3ac5e1c13SQL Database should avoid using GRS backup redundancyDatabases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Default: Deny
Allowed: (Deny, Disabled)
2021-04-27 15:38:15
change: Major (1.0.1 > 2.0.0)
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203Configure Log Analytics agent on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-04-27 15:38:15
change: Minor, old suffix: preview (1.1.0-preview > 1.2.0)
Security Center1e378679-f122-4a96-a739-a7729c46e1aaCloud Services (extended support) role instances should have an endpoint protection solution installedProtect your Cloud Services (extended support) role instances from threats and vulnerabilities by ensuring an endpoint protection solution is installed on them. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-04-27 15:38:15
add: 1e378679-f122-4a96-a739-a7729c46e1aa
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-04-27 15:38:15
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Monitoring2465583e-4e78-4c15-b6be-a36cbc7c8b0fConfigure Azure Activity logs to stream to specified Log Analytics workspaceDeploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-04-27 15:38:15
add: 2465583e-4e78-4c15-b6be-a36cbc7c8b0f
Security Center15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554Log Analytics agent should be installed on your Cloud Services (extended support) role instancesSecurity Center collects data from your Cloud Services (extended support) role instances to monitor for security vulnerabilities and threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-04-27 15:38:15
add: 15fdbc87-8a47-4ee9-a2aa-9a2ea1f37554
Key Vault55615ac9-af46-4a59-874e-391cc3dfb490[Preview]: Azure Key Vault should disable public network accessDisable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-04-21 13:28:46
change: Minor, suffix remains equal (1.0.2-preview > 1.1.0-preview)
Cognitive Servicescddd188c-4b82-4c48-a19d-ddf74ee66a01Cognitive Services should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Disabled)
2021-04-21 13:28:46
add: cddd188c-4b82-4c48-a19d-ddf74ee66a01
Cognitive Servicesdb630ad5-52e9-4f4d-9c44-53912fe40053Configure Cognitive Services accounts with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Cognitive Services Contributor
2021-04-21 13:28:46
add: db630ad5-52e9-4f4d-9c44-53912fe40053
Cognitive Services11566b39-f7f7-4b82-ab06-68d8700eb0a4[Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption.This policy is deprecated. Cognitive Services have data encryption enforced. Default: Disabled
Allowed: (Audit, Deny, Disabled)
2021-04-21 13:28:46
change: Major, new suffix: deprecated (1.0.0 > 2.0.0-deprecated)
Backup013e242c-8828-4970-87b3-ab247555486dAzure Backup should be enabled for Virtual MachinesEnsure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-04-21 13:28:46
change: Major (1.0.1 > 2.0.0)
Cognitive Servicesc4bc6f10-cb41-49eb-b000-d5ab82e2a091Configure Cognitive Services accounts to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Cognitive Services accounts. Learn more at: https://go.microsoft.com/fwlink/?linkid=2110097. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-04-21 13:28:46
add: c4bc6f10-cb41-49eb-b000-d5ab82e2a091
Key Vaultac673a9a-f77d-4846-b2d8-a57f8e1c01dc[Preview]: Configure key vaults to disable public network accessDisable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default: Modify
Allowed: (Modify, Disabled)
Key Vault Contributor
2021-04-21 13:28:46
add: ac673a9a-f77d-4846-b2d8-a57f8e1c01dc
Key Vaultac673a9a-f77d-4846-b2d8-a57f8e1c01d4[Preview]: Configure Azure Key Vaults to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-04-21 13:28:46
add: ac673a9a-f77d-4846-b2d8-a57f8e1c01d4
Guest Configuration5752e6d6-1206-46d8-8ab1-ecc2f71a8112Windows web servers should be configured to use secure communication protocolsTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-04-21 13:28:46
change: Minor (2.0.0 > 2.1.0)
Key Vault9d4fad1f-5189-4a42-b29e-cf7929c6b6df[Preview]: Configure Azure Key Vaults with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Key Vault Contributor
2021-04-21 13:28:46
add: 9d4fad1f-5189-4a42-b29e-cf7929c6b6df
Backup2e94d99a-8a36-4563-bc77-810d8893b671[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup dataUse customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-04-21 13:28:46
add: 2e94d99a-8a36-4563-bc77-810d8893b671
Key Vaulta6abeaec-4d90-4a02-805f-6b26c4d3fbe9[Preview]: Azure Key Vaults should use private linkAzure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-04-21 13:28:46
add: a6abeaec-4d90-4a02-805f-6b26c4d3fbe9
Azure Active Directory3aa87b5a-7813-4b57-8a43-42dd9df5aaa7Azure Active Directory Domain Services managed domains should use TLS 1.2 only modeUse TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at https://docs.microsoft.com/azure/active-directory-domain-services/secure-your-domain. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-04-21 13:28:46
add: 3aa87b5a-7813-4b57-8a43-42dd9df5aaa7
Cognitive Services2bdd0062-9d75-436e-89df-487dd8e4b3c7[Deprecated]: Cognitive Services accounts should enable data encryptionThis policy is deprecated. Cognitive Services have data encryption enforced. Default: Disabled
Allowed: (Audit, Deny, Disabled)
2021-04-21 13:28:46
change: Major, new suffix: deprecated (1.0.0 > 2.0.0-deprecated)
Automanage270610db-8c04-438a-a739-e8e6745b22d3Configure virtual machines to be onboarded to Azure AutomanageAzure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-04-13 13:28:43
change: Major (3.0.0 > 4.0.0)
Data Factory8b0323be-cc25-4b61-935d-002c3798c6eaAzure Data Factory should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-04-13 13:28:43
add: 8b0323be-cc25-4b61-935d-002c3798c6ea
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-04-07 13:27:17
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Data Factory496ca26b-f669-4322-a1ad-06b7b5e41882Configure private endpoints for Data factoriesPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Data Factory Contributor
2021-04-07 13:27:17
add: 496ca26b-f669-4322-a1ad-06b7b5e41882
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on virtual machines without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-04-07 13:27:17
change: Major (1.1.0 > 2.0.0)
Compute8405fdab-1faf-48aa-b702-999c9c172094Managed disks should disable public network accessDisabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: Audit
Allowed: (Audit, Disabled)
2021-04-07 13:27:17
add: 8405fdab-1faf-48aa-b702-999c9c172094
Compute8426280e-b5be-43d9-979e-653d12a08638Configure managed disks to disable public network accessDisable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/disksprivatelinksdoc. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-04-07 13:27:17
add: 8426280e-b5be-43d9-979e-653d12a08638
Machine Learning6a6f7384-63de-11ea-bc55-0242ac130003[Preview]: Configure code signing for training code for specified Azure Machine Learning computesProvide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-04-07 13:27:17
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)
Data Factory08b1442b-7789-4130-8506-4f99a97226a7Configure Data Factories to disable public network accessDisable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: Modify
Allowed: (Modify, Disabled)
Data Factory Contributor
2021-04-07 13:27:17
add: 08b1442b-7789-4130-8506-4f99a97226a7
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-04-07 13:27:17
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Machine Learning3948394e-63de-11ea-bc55-0242ac130003[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computesConfigure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-04-07 13:27:17
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)
Machine Learning53c70b02-63dd-11ea-bc55-0242ac130003[Preview]: Configure allowed module authors for specified Azure Machine Learning computesProvide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-04-07 13:27:17
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)
Data Factory86cd96e1-1745-420d-94d4-d3f2fe415aa4Configure private DNS zones for private endpoints that connect to Azure Data FactoryPrivate DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to your Azure Data Factory without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Azure Data Factory, see https://docs.microsoft.com/azure/data-factory/data-factory-private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-04-07 13:27:17
add: 86cd96e1-1745-420d-94d4-d3f2fe415aa4
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2021-04-07 13:27:17
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Computef39f5f49-4abf-44de-8c70-0756997bfb51Disk access resources should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-04-07 13:27:17
add: f39f5f49-4abf-44de-8c70-0756997bfb51
Compute582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5Configure disk access resources with private endpointsPrivate endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/disksprivatelinksdoc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-04-07 13:27:17
add: 582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5
Guest Configuration480d0f91-30af-4a76-9afb-f5710ac52b09Private endpoints for Guest Configuration assignments should be enabledPrivate endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-31 14:35:06
add: 480d0f91-30af-4a76-9afb-f5710ac52b09
Machine Learning5853517a-63de-11ea-bc55-0242ac130003[Preview]: Configure allowed registries for specified Azure Machine Learning computesProvide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-03-31 14:35:06
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Searchb698b005-b660-4837-b833-a7aaab26ddbaConfigure Azure Cognitive Search services with private endpointsPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cognitive Search service, you can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Search Service Contributor
2021-03-31 14:35:06
add: b698b005-b660-4837-b833-a7aaab26ddba
Machine Learning1d413020-63de-11ea-bc55-0242ac130003[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computesProvide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-03-31 14:35:06
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Synapseac7891a4-ac7a-4ba0-9ae9-c923e5a225eeConfigure Synapse workspaces to have auditing enabledTo ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL Security Manager
Storage Account Contributor
2021-03-31 14:35:06
change: Minor (1.0.0 > 1.1.0)
Monitoring752154a7-1e0f-45c6-a880-ac75a7e4f648Public IP addresses should have resource logs enabled for Azure DDoS Protection StandardEnable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-03-31 14:35:06
add: 752154a7-1e0f-45c6-a880-ac75a7e4f648
SignalRef45854f-b33f-49a3-8041-9057e915d88fConfigure private endpoints to Azure SignalR ServicePrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure SignalR Service resources, you can reduce data leakage risks. Learn more at https://aka.ms/asrs/privatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
SignalR Contributor
2021-03-31 14:35:06
add: ef45854f-b33f-49a3-8041-9057e915d88f
SQLf4c68484-132f-41f9-9b6d-3e4b1cb55036Configure SQL servers to have auditing enabledTo ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL Security Manager
Storage Account Contributor
2021-03-31 14:35:06
change: Minor (1.1.0 > 1.2.0)
VM Image Builder2154edb9-244f-4741-9970-660785bccdaaVM Image Builder templates should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Default: Audit
Allowed: (Audit, Disabled, Deny)
2021-03-31 14:35:06
change: Minor (1.0.1 > 1.1.0)
Machine Learning6a6f7384-63de-11ea-bc55-0242ac130003[Preview]: Configure code signing for training code for specified Azure Machine Learning computesProvide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-03-31 14:35:06
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Machine Learning77eeea86-7e81-4a7d-9067-de844d096752[Preview]: Configure allowed Python packages for specified Azure Machine Learning computesProvide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-03-31 14:35:06
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Machine Learning53c70b02-63dd-11ea-bc55-0242ac130003[Preview]: Configure allowed module authors for specified Azure Machine Learning computesProvide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-03-31 14:35:06
change: Major, suffix remains equal (1.0.1-preview > 2.0.0-preview)
Network94de2ad3-e0c1-4caf-ad78-5d47bbc83d3dVirtual networks should be protected by Azure DDoS Protection StandardProtect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs. Default: Modify
Allowed: (Modify, Audit, Disabled)
Network Contributor
2021-03-31 14:35:06
add: 94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d
Machine Learning3948394e-63de-11ea-bc55-0242ac130003[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computesConfigure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2021-03-31 14:35:06
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Search0fda3595-9f2b-4592-8675-4231d6fa82feAzure Cognitive Search services should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced. Learn more about private links at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default: Audit
Allowed: (Audit, Disabled)
2021-03-31 14:35:06
add: 0fda3595-9f2b-4592-8675-4231d6fa82fe
Kubernetes8dfab9c4-fe7b-49ad-85e4-1e9be085358f[Preview]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installedAzure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-24 14:32:48
add: 8dfab9c4-fe7b-49ad-85e4-1e9be085358f
Machine Learning40cec1dd-a100-4920-b15b-3024fe8901abAzure Machine Learning workspaces should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-24 14:32:48
change: Minor (1.0.0 > 1.1.0)
Storage970f84d8-71b6-4091-9979-ace7e3fb6dbbHPC Cache accounts should use customer-managed key for encryptionManage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: Audit
Allowed: (Audit, Disabled, Deny)
2021-03-24 14:32:48
change: Major (1.0.0 > 2.0.0)
Storage6f8f98a4-f108-47cb-8e98-91a0d85cd474Configure diagnostic settings for storage accounts to Log Analytics workspaceDeploys the diagnostic settings for storage accounts to stream resource logs to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-03-24 14:32:48
change: Minor (1.1.0 > 1.3.0)
SQL89099bee-89e0-4b26-a5f4-165451757743SQL servers with auditing to storage account destination should be configured with 90 days retention or higherFor incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-24 14:32:48
change: Major (2.1.0 > 3.0.0)
Computeac34a73f-9fa5-4067-9247-a3ecae514468Configure disaster recovery on virtual machines by enabling replicationVirtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Owner
2021-03-24 14:32:48
change: Minor (1.1.0 > 1.2.0)
Cognitive Services46aa9b05-0e60-4eae-a88b-1e9d374fa515Cognitive Services accounts should use customer owned storageUse customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-24 14:32:48
change: Major (1.0.0 > 2.0.0)
Synapse529ea018-6afc-4ed4-95bd-7c9ee47b00bcSynapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higherFor incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-24 14:32:48
change: Major (1.0.0 > 2.0.0)
Kubernetesd46c275d-1680-448d-b2ec-e495a3b6cc89Kubernetes cluster services should only use allowed external IPsUse allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-16 16:49:20
change: Major, old suffix: preview (2.0.0-preview > 3.0.0)
Container Registryd0793b48-0edc-4296-a390-4c75d1bdfd71Container registries should not allow unrestricted network accessAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-16 16:49:20
change: Minor (1.0.1 > 1.1.0)
Container Registrya3701552-92ea-433e-9d17-33b7f1208fc9Configure Container registries to disable public network accessDisable public network access for your Container Registry resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-03-16 16:49:20
add: a3701552-92ea-433e-9d17-33b7f1208fc9
Container Registrybd560fc0-3c69-498a-ae9f-aa8eb7de0e13Container registries should have SKUs that support Private LinksAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, data leakage risks are reduced. Learn more at: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-16 16:49:20
add: bd560fc0-3c69-498a-ae9f-aa8eb7de0e13
Machine Learning7838fd83-5cbb-4b5d-888c-bfa240972597Configure Azure Machine Learning workspaces with private endpointsPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-16 16:49:20
add: 7838fd83-5cbb-4b5d-888c-bfa240972597
Container Registryd85c6833-7d33-4cf5-a915-aaa2de84405fConfigure Container registries with private endpointsPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your premium container registry resources, you can reduce data leakage risks. Learn more at: https://aka.ms/privateendpoints and https://aka.ms/acr/private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-03-16 16:49:20
add: d85c6833-7d33-4cf5-a915-aaa2de84405f
Migrate7590a335-57cf-4c95-babd-ecbc8fafeb1fConfigure Azure Migrate resources to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Migrate project. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-16 16:49:20
add: 7590a335-57cf-4c95-babd-ecbc8fafeb1f
Monitoring91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4Configure Dependency agent on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-03-16 16:49:20
change: Minor, old suffix: preview (1.1.0-preview > 1.2.0)
Computeac34a73f-9fa5-4067-9247-a3ecae514468Configure disaster recovery on virtual machines by enabling replicationVirtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Owner
2021-03-16 16:49:20
change: Minor (1.0.0 > 1.1.0)
Machine Learning40cec1dd-a100-4920-b15b-3024fe8901abAzure Machine Learning workspaces should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-16 16:49:20
change: Patch (1.0.1 > 1.0.0)
Machine Learningee40564d-486e-4f68-a5ca-7a621edae0fbConfigure Azure Machine Learning workspace to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-16 16:49:20
add: ee40564d-486e-4f68-a5ca-7a621edae0fb
Container Registrye9585a95-5b8c-4d03-b193-dc7eb5ac4c32Configure Container registries to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Container Registry. Learn more at: https://aka.ms/privatednszone and https://aka.ms/acr/private-link. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-16 16:49:20
add: e9585a95-5b8c-4d03-b193-dc7eb5ac4c32
Container Registry0fdf0491-d080-4575-b627-ad0e843cba0fPublic network access should be disabled for Container registriesDisabling public network access improves security by ensuring that container registries are not exposed on the public internet. Creating private endpoints can limit exposure of container registry resources. Learn more at: https://aka.ms/acr/portal/public-network and https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-16 16:49:20
add: 0fdf0491-d080-4575-b627-ad0e843cba0f
Security Center13ce0167-8ca6-4048-8e6b-f996402e3c1b[Preview]: Configure machines to receive a vulnerability assessment agentAzure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment agent to all supported machines that don't already have it installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-03-10 14:52:46
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Cache7803067c-7d34-46e3-8c79-0ca68fc4036dAzure Cache for Redis should use private linkPrivate endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
add: 7803067c-7d34-46e3-8c79-0ca68fc4036d
Cognitive Servicesfe3fd216-4f83-4fc1-8984-2bbec80a3418Cognitive Services accounts should use a managed identityAssigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: fe3fd216-4f83-4fc1-8984-2bbec80a3418
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-03-09 14:37:41
change: Minor (6.0.0 > 6.1.0)
Cache30b3dfa5-a70d-4c8e-bed6-0083858f663dConfigure Azure Cache for Redis to disable public network accessDisable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. Default: Modify
Allowed: (Modify, Disabled)
Redis Cache Contributor
2021-03-09 14:37:41
add: 30b3dfa5-a70d-4c8e-bed6-0083858f663d
Computed461a302-a187-421a-89ac-84acdb4edc04Managed disks should use a specific set of disk encryption sets for the customer-managed key encryptionRequiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
change: Major (1.0.0 > 2.0.0)
Kubernetesa6f560f4-f582-4b67-b123-a37dcd1bf7eaConfigure Kubernetes clusters with specified GitOps configuration using HTTPS secretsDeploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Contributor
2021-03-09 14:37:41
add: a6f560f4-f582-4b67-b123-a37dcd1bf7ea
Searcha049bf77-880b-470f-ba6d-9f21c530cf83Azure Cognitive Search service should use a SKU that supports private linkWith supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: a049bf77-880b-470f-ba6d-9f21c530cf83
Cosmos DBb609e813-3156-4079-91fa-a8494c1471c4Configure CosmosDB accounts with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your CosmosDB account, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
DocumentDB Account Contributor
2021-03-09 14:37:41
add: b609e813-3156-4079-91fa-a8494c1471c4
Synapsee04e5000-cd89-451d-bb21-a14d24ff9c73Auditing on Synapse workspace should be enabledAuditing on your Synapse workspace should be enabled to track database activities across all databases on the dedicated SQL pools and save them in an audit log. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
add: e04e5000-cd89-451d-bb21-a14d24ff9c73
Security Center13ce0167-8ca6-4048-8e6b-f996402e3c1b[Preview]: Configure machines to receive a vulnerability assessment agentAzure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment agent to all supported machines that don't already have it installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Security Admin
2021-03-09 14:37:41
add: 13ce0167-8ca6-4048-8e6b-f996402e3c1b
Storage7433c107-6db4-4ad1-b57a-a76dce0154a1Storage accounts should be limited by allowed SKUsRestrict the set of storage account SKUs that your organization can deploy. Default: Deny
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
change: Minor (1.0.0 > 1.1.0)
Kubernetes1d61c4d2-aef2-432b-87fc-7f96b019b7e1Configure Kubernetes clusters with specified GitOps configuration using no secretsDeploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Contributor
2021-03-09 14:37:41
change: Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
Storage970f84d8-71b6-4091-9979-ace7e3fb6dbbHPC Cache accounts should use customer-managed key for encryptionManage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: Audit
Allowed: (Audit, Disabled, Deny)
2021-03-09 14:37:41
add: 970f84d8-71b6-4091-9979-ace7e3fb6dbb
Container Instance8af8f826-edcb-4178-b35f-851ea6fea615Azure Container Instance container group should deploy into a virtual networkSecure communication between your containers with Azure Virtual Networks. When you specify a virtual network, resources within the virtual network can securely and privately communicate with each other. Default: Audit
Allowed: (Audit, Disabled, Deny)
2021-03-09 14:37:41
add: 8af8f826-edcb-4178-b35f-851ea6fea615
Logic Apps1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5Logic Apps Integration Service Environment should be encrypted with customer-managed keysDeploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: 1fafeaf6-7927-4059-a50a-8eb2a7a6f2b5
Security Centerbdc59948-5574-49b3-bb91-76b7c986428d[Preview]: Azure Defender for DNS should be enabledAzure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at https://aka.ms/defender-for-dns . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
add: bdc59948-5574-49b3-bb91-76b7c986428d
SignalR464a1620-21b5-448d-8ce6-d4ac6d1bc49aAzure SignalR Service should use a Private Link enabled SKUAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination which protect your resources against public data leakage risks. The policy limits you to Private Link enabled SKUs for Azure SignalR Service. Learn more about private link at: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: 464a1620-21b5-448d-8ce6-d4ac6d1bc49a
Service Bus1c06e275-d63d-4540-b761-71f364c2111dAzure Service Bus namespaces should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
add: 1c06e275-d63d-4540-b761-71f364c2111d
Internet of Things2d7e144b-159c-44fc-95c1-ac3dbf5e6e54[Preview]: Azure IoT Hub should use customer-managed key to encrypt data at restEncryption of data at rest in IoT Hub with customer-managed key adds a second layer of encryption on top of the default service-managed keys, enables customer control of keys, custom rotation policies, and ability to manage access to data through key access control. Customer-managed keys must be configured during creation of IoT Hub. For more information on how to configure customer-managed keys, see https://aka.ms/iotcmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: 2d7e144b-159c-44fc-95c1-ac3dbf5e6e54
Synapseac7891a4-ac7a-4ba0-9ae9-c923e5a225eeConfigure Synapse workspaces to have auditing enabledTo ensure the operations performed against your SQL assets are captured, Synapse workspaces should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL Security Manager
Storage Account Contributor
2021-03-09 14:37:41
add: ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee
Cosmos DBa63cc0bd-cda4-4178-b705-37dc439d3e0fConfigure CosmosDB accounts to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to CosmosDB account. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-09 14:37:41
add: a63cc0bd-cda4-4178-b705-37dc439d3e0f
Cosmos DB797b37f7-06b8-444c-b1ad-fc62867f335aAzure Cosmos DB should disable public network accessDisabling public network access improves security by ensuring that your CosmosDB account isn't exposed on the public internet. Creating private endpoints can limit exposure of your CosmosDB account. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: 797b37f7-06b8-444c-b1ad-fc62867f335a
Cognitive Services0725b4dd-7e76-479c-a735-68e7ee23d5caCognitive Services accounts should disable public network accessDisabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
change: Patch (1.0.0 > 1.0.1)
Cache470baccb-7e51-4549-8b1a-3e5be069f663Azure Cache for Redis should disable public network accessDisabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: 470baccb-7e51-4549-8b1a-3e5be069f663
Automation6dd01e4f-1be1-4e80-9d0b-d109e04cb064Configure Azure Automation accounts with private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-09 14:37:41
add: 6dd01e4f-1be1-4e80-9d0b-d109e04cb064
Event Hubb8564268-eb4a-4337-89be-a19db070c59dEvent Hub namespaces should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
add: b8564268-eb4a-4337-89be-a19db070c59d
Kubernetesc050047b-b21b-4822-8a2d-c1e37c3c0c6aConfigure Kubernetes clusters with specified GitOps configuration using SSH secretsDeploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Contributor
2021-03-09 14:37:41
add: c050047b-b21b-4822-8a2d-c1e37c3c0c6a
Kubernetes040732e8-d947-40b8-95d6-854c95024bf8Azure Kubernetes Service Private Clusters should be enabledEnable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: 040732e8-d947-40b8-95d6-854c95024bf8
Internet of Thingsaaa64d2d-2fa3-45e5-b332-0b031b9b30e8Configure IoT Hub device provisioning instances to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to an IoT Hub device provisioning service instance. Learn more at: https://aka.ms/iotdpsvnet. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-03-09 14:37:41
add: aaa64d2d-2fa3-45e5-b332-0b031b9b30e8
Storage6edd7eda-6dd8-40f7-810d-67160c639cd9Storage accounts should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
change: Major (1.0.0 > 2.0.0)
Cosmos DB58440f8a-10c5-4151-bdce-dfbaad4a20b7CosmosDB accounts should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints. Default: Audit
Allowed: (Audit, Disabled)
2021-03-09 14:37:41
add: 58440f8a-10c5-4151-bdce-dfbaad4a20b7
Internet of Things859dfc91-ea35-43a6-8256-31271c363794Configure IoT Hub device provisioning service instances to disable public network accessDisable public network access for your IoT Hub device provisioning instance so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/iotdpsvnet. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-03-09 14:37:41
add: 859dfc91-ea35-43a6-8256-31271c363794
Data Factory0088bc63-6dee-4a9c-9d29-91cfdc848952SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual networkAzure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: 0088bc63-6dee-4a9c-9d29-91cfdc848952
Security Center86b3d65f-7626-441e-b690-81a8b71cff60System updates should be installed on your machinesMissing security system updates on your servers will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
change: Major (3.0.0 > 4.0.0)
SQL89099bee-89e0-4b26-a5f4-165451757743SQL servers with auditing to storage account destination should be configured with 90 days retention or higherFor incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
change: Minor (2.0.1 > 2.1.0)
Internet of Thingsd82101f3-f3ce-4fc5-8708-4c09f4009546IoT Hub device provisioning service instances should disable public network accessDisabling public network access improves security by ensuring that IoT Hub device provisioning service instance isn't exposed on the public internet. Creating private endpoints can limit exposure of the IoT Hub device provisioning instances. Learn more at: https://aka.ms/iotdpsvnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: d82101f3-f3ce-4fc5-8708-4c09f4009546
Synapse3b3b0c27-08d2-4b32-879d-19930bee3266Configure Azure Synapse workspaces with private endpointsPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Synapse workspaces, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-03-09 14:37:41
add: 3b3b0c27-08d2-4b32-879d-19930bee3266
Internet of Thingsdf39c015-56a4-45de-b4a3-efe77bed320dIoT Hub device provisioning service instances should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced. Learn more about private links at: https://aka.ms/iotdpsvnet. Default: Audit
Allowed: (Audit, Disabled)
2021-03-09 14:37:41
add: df39c015-56a4-45de-b4a3-efe77bed320d
Automation955a914f-bf86-4f0e-acd5-e0766b0efcb6Automation accounts should disable public network accessDisabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: 955a914f-bf86-4f0e-acd5-e0766b0efcb6
Automationc0c3130e-7dda-4187-aed0-ee4a472eaa60Configure private endpoint connections on Azure Automation accountsPrivate endpoint connections allow secure communication by enabling private connectivity to Azure Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Contributor
2021-03-09 14:37:41
add: c0c3130e-7dda-4187-aed0-ee4a472eaa60
Cognitive Services47ba1dd7-28d9-4b07-a8d5-9813bed64e0cConfigure Cognitive Services accounts to disable public network accessDisable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Modify
Allowed: (Disabled, Modify)
Contributor
2021-03-09 14:37:41
add: 47ba1dd7-28d9-4b07-a8d5-9813bed64e0c
Storage6f8f98a4-f108-47cb-8e98-91a0d85cd474Configure diagnostic settings for storage accounts to Log Analytics workspaceDeploys the diagnostic settings for storage accounts to stream resource logs to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-03-09 14:37:41
change: Minor (1.0.0 > 1.1.0)
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcKubernetes cluster containers should only listen on allowed portsRestrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-03-09 14:37:41
change: Minor (6.0.0 > 6.1.0)
Searchfbc14a67-53e4-4932-abcc-2049c6706009Configure Azure Cognitive Search services to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to your Azure Cognitive Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-09 14:37:41
add: fbc14a67-53e4-4932-abcc-2049c6706009
Compute702dd420-7fcc-42c5-afe8-4026edd20fe0OS and data disks should be encrypted with a customer-managed keyUse customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
change: Major (1.0.0 > 2.0.0)
Networkc251913d-7d24-4958-af87-478ed3b9ba41Flow logs should be configured for every network security groupAudit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default: Audit
Allowed: (Audit, Disabled)
2021-03-09 14:37:41
change: Minor (1.0.0 > 1.1.0)
API Management73ef9241-5d81-4cd4-b483-8443d1730fe5API Management service should use a SKU that supports virtual networksWith supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: https://aka.ms/apimvnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: 73ef9241-5d81-4cd4-b483-8443d1730fe5
Cosmos DBda69ba51-aaf1-41e5-8651-607cd0b37088Configure CosmosDB accounts to disable public network access Disable public network access for your CosmosDB resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation. Default: Modify
Allowed: (Modify, Disabled)
Contributor
DocumentDB Account Contributor
2021-03-09 14:37:41
add: da69ba51-aaf1-41e5-8651-607cd0b37088
Synapse72d11df1-dd8a-41f7-8925-b05b960ebafcAzure Synapse workspaces should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Default: Audit
Allowed: (Audit, Disabled)
2021-03-09 14:37:41
change: Patch (1.0.0 > 1.0.1)
SignalR21a9766a-82a5-4747-abb5-650b6dbba6d0Azure SignalR Service should disable public network accessTo improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: 21a9766a-82a5-4747-abb5-650b6dbba6d0
Event Hubed66d4f5-8220-45dc-ab4a-20d1749c74e6Configure Event Hub namespaces to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Event Hub namespaces. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-09 14:37:41
add: ed66d4f5-8220-45dc-ab4a-20d1749c74e6
Search9cee519f-d9c1-4fd9-9f79-24ec3449ed30Configure Azure Cognitive Search services to disable public network accessDisable public network access for your Azure Cognitive Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default: Modify
Allowed: (Modify, Disabled)
Network Contributor
Search Service Contributor
2021-03-09 14:37:41
add: 9cee519f-d9c1-4fd9-9f79-24ec3449ed30
Synapse529ea018-6afc-4ed4-95bd-7c9ee47b00bcSynapse workspaces with SQL auditing to storage account destination should be configured with 90 days retention or higherFor incident investigation purposes, we recommend setting the data retention for your Synapse workspace' SQL auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
add: 529ea018-6afc-4ed4-95bd-7c9ee47b00bc
Cognitive Services67121cc7-ff39-4ab8-b7e3-95b84dab487dCognitive Services accounts should enable data encryption with a customer-managed keyCustomer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
change: Major (1.0.3 > 2.0.0)
Searchee980b6d-0eca-4501-8d54-f6290fd512c3Azure Cognitive Search services should disable public network accessDisabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: ee980b6d-0eca-4501-8d54-f6290fd512c3
Network27960feb-a23c-4577-8d36-ef8b5f35e0beFlow logs should be enabled for every network security groupAudit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default: Audit
Allowed: (Audit, Disabled)
2021-03-09 14:37:41
add: 27960feb-a23c-4577-8d36-ef8b5f35e0be
Synapse1e5ed725-f16c-478b-bd4b-7bfa2f7940b9Configure Azure Synapse workspaces to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Synapse workspace. Learn more at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-from-restricted-network#appendix-dns-registration-for-private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-09 14:37:41
add: 1e5ed725-f16c-478b-bd4b-7bfa2f7940b9
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Kubernetes cluster services should listen only on allowed portsRestrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-03-09 14:37:41
change: Minor (6.0.0 > 6.1.0)
Cachee016b22b-e0eb-436d-8fd7-160c4eaed6e2Configure Azure Cache for Redis to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: https://aka.ms/privatednszone. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-09 14:37:41
add: e016b22b-e0eb-436d-8fd7-160c4eaed6e2
SQLf4c68484-132f-41f9-9b6d-3e4b1cb55036Configure SQL servers to have auditing enabledTo ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL Security Manager
Storage Account Contributor
2021-03-09 14:37:41
change: Minor (1.0.0 > 1.1.0)
Storage9f766f00-8d11-464e-80e1-4091d7874074Configure Storage account to use a private link connectionPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your storage account, you can reduce data leakage risks. Learn more about private links at - https://aka.ms/azureprivatelinkoverview Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Storage Account Contributor
2021-03-09 14:37:41
add: 9f766f00-8d11-464e-80e1-4091d7874074
Internet of Things9b75ea5b-c796-4c99-aaaf-21c204daac43Configure IoT Hub device provisioning service instances with private endpointsPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to IoT Hub device provisioning service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/iotdpsvnet. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-03-09 14:37:41
add: 9b75ea5b-c796-4c99-aaaf-21c204daac43
SignalRb0e86710-7fb7-4a6c-a064-32e9b829509eDeploy - Configure private DNS zones for private endpoints connect to Azure SignalR ServiceUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure SignalR Service resource. Learn more at: https://aka.ms/asrs/privatelink. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-09 14:37:41
add: b0e86710-7fb7-4a6c-a064-32e9b829509e
Logic Appsdc595cb1-1cde-45f6-8faf-f88874e1c0e1Logic Apps should be deployed into Integration Service EnvironmentDeploying Logic Apps into Integration Service Environment in a virtual network unlocks advanced Logic Apps networking and security features and provides you with greater control over your network configuration. Learn more at: https://aka.ms/integration-service-environment. Deploying into Integration Service Environment also allows encryption with customer-managed keys which provides enhanced data protection by allowing you to manage your encryption keys. This is often to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-09 14:37:41
add: dc595cb1-1cde-45f6-8faf-f88874e1c0e1
Container Instance0aa61e00-0a01-4a3c-9945-e93cffedf0e6Azure Container Instance container group should use customer-managed key for encryptionSecure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Disabled, Deny)
2021-03-09 14:37:41
add: 0aa61e00-0a01-4a3c-9945-e93cffedf0e6
Service Busf0fcf93c-c063-4071-9668-c47474bd3564Configure Service Bus namespaces to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Service Bus namespaces. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-09 14:37:41
add: f0fcf93c-c063-4071-9668-c47474bd3564
Backupdeeddb44-9f94-4903-9fa0-081d524406e3[Preview]: Azure Recovery Services vaults should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints. Default: Audit
Allowed: (Audit, Disabled)
2021-03-09 14:37:41
add: deeddb44-9f94-4903-9fa0-081d524406e3
Synapse2b18f286-371e-4b80-9887-04759970c0d3Synapse workspace auditing settings should have action groups configured to capture critical activitiesTo ensure your audit logs are as thorough as possible, the AuditActionsAndGroups property should include all the relevant groups. We recommend adding at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, and BATCH_COMPLETED_GROUP. This is sometimes required for compliance with regulatory standards. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
add: 2b18f286-371e-4b80-9887-04759970c0d3
Event Hub91678b7c-d721-4fc5-b179-3cdf74e96b1cConfigure Event Hub namespaces with private endpointsPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Event Hub namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/event-hubs/private-link-service. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Azure Event Hubs Data Owner
2021-03-09 14:37:41
add: 91678b7c-d721-4fc5-b179-3cdf74e96b1c
SignalR62a3ae95-8169-403e-a2d2-b82141448092Modify Azure SignalR Service resources to disable public network accessTo improve the security of Azure SignalR Service resource, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://aka.ms/asrs/networkacls. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. Default: Modify
Allowed: (Modify, Disabled)
SignalR Contributor
2021-03-09 14:37:41
add: 62a3ae95-8169-403e-a2d2-b82141448092
Security Centerc3d20c29-b36d-48fe-808b-99a87530ad99Azure Defender for Resource Manager should be enabledAzure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-09 14:37:41
add: c3d20c29-b36d-48fe-808b-99a87530ad99
Service Bus7d890f7f-100c-473d-baa1-2777e2266535Configure Service Bus namespaces with private endpointsPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Service Bus namespaces, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/service-bus-messaging/private-link-service. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Azure Service Bus Data Owner
2021-03-09 14:37:41
add: 7d890f7f-100c-473d-baa1-2777e2266535
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (3.0.1 > 4.0.0)
App Configuration614ffa75-862c-456e-ad8b-eaa1b0844b07Configure private endpoints for App ConfigurationPrivate endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your app configuration instances, data leakage risks are reduced. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-03-02 15:11:40
add: 614ffa75-862c-456e-ad8b-eaa1b0844b07
General6c112d4e-5bc7-47ae-a041-ea2d9dccd749Not allowed resource typesRestrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources. Default: Deny
Allowed: (Audit, Deny, Disabled)
2021-03-02 15:11:40
change: Major (1.0.0 > 2.0.0)
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationDo not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Automanage270610db-8c04-438a-a739-e8e6745b22d3Configure virtual machines to be onboarded to Azure AutomanageAzure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-03-02 15:11:40
change: Major (1.0.0 > 3.0.0)
Monitoring11ac78e3-31bc-4f0c-8434-37ab963cea07Dependency agent should be enabled for listed virtual machine imagesReports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-02 15:11:40
change: Major (1.0.1 > 2.0.0)
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Kubernetes cluster should not allow privileged containersDo not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0)
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Kubernetesa27c700f-8a22-44ec-961c-41625264370b[Preview]: Kubernetes clusters should not use specific security capabilitiesPrevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
App Configuration73290fa2-dfa7-4bbb-945d-a5e23b75df2cConfigure App Configuration to disable public network accessDisable public network access for App Configuration so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-03-02 15:11:40
add: 73290fa2-dfa7-4bbb-945d-a5e23b75df2c
Storage21a8cd35-125e-4d13-b82d-2e19b7208bb7Public network access should be disabled for Azure File SyncDisabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-02 15:11:40
add: 21a8cd35-125e-4d13-b82d-2e19b7208bb7
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Storage06695360-db88-47f6-b976-7500d4297475Configure Azure File Sync to use private DNS zonesTo access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s). Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Private DNS Zone Contributor
Network Contributor
2021-03-02 15:11:40
add: 06695360-db88-47f6-b976-7500d4297475
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Kubernetes cluster pods should use specified labelsUse specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0)
App Service7008174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-02 15:11:40
change: Major (2.0.0 > 3.0.0)
Storageb35dddd9-daf7-423b-8375-5a5b86806d5aConfigure Azure File Sync with private endpointsA private endpoint is deployed for the indicated Storage Sync Service resource. This enables you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. The existence of one or more private endpoints by themselves does not disable the public endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-03-02 15:11:40
add: b35dddd9-daf7-423b-8375-5a5b86806d5a
Monitoring32133ab0-ee4b-4b44-98d6-042180979d50[Preview]: Log Analytics Agent should be enabled for listed virtual machine imagesReports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Automation23b36a7c-9d26-4288-a8fd-c1d2fa284d8cConfigure Azure Automation accounts to disable public network accessDisable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-03-02 15:11:40
add: 23b36a7c-9d26-4288-a8fd-c1d2fa284d8c
Computed461a302-a187-421a-89ac-84acdb4edc04Managed disks should use a specific set of disk encryption sets for the customer-managed key encryptionRequiring a specific set of disk encryption sets to be used with managed disks give you control over the keys used for encryption at rest. You are able to select the allowed encrypted sets and all others are rejected when attached to a disk. Learn more at https://aka.ms/disks-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-02 15:11:40
add: d461a302-a187-421a-89ac-84acdb4edc04
Internet of Things114eec6e-5e59-4bad-999d-6eceeb39d582Modify - Configure Azure IoT Hubs to disable public network accessDisabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. This policy disables public network access on IoT Hub resources. Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-03-02 15:11:40
add: 114eec6e-5e59-4bad-999d-6eceeb39d582
Storage1d320205-c6a1-4ac6-873d-46224024e8e2Azure File Sync should use private linkCreating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-02 15:11:40
add: 1d320205-c6a1-4ac6-873d-46224024e8e2
Monitoring1c210e94-a481-4beb-95fa-1571b434fb04Deploy - Configure Dependency agent to be enabled on Windows virtual machinesDeploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-03-02 15:11:40
change: Major (1.3.0 > 2.0.0)
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Kubernetes cluster services should listen only on allowed portsRestrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0)
Monitoring3c1b3629-c8f8-4bf6-862c-037cb9094038Deploy - Configure Log Analytics agent to be enabled on Windows virtual machine scale setsDeploy Log Analytics agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
Virtual Machine Contributor
2021-03-02 15:11:40
change: Major (1.1.0 > 2.0.0)
Internet of Thingsc99ce9c1-ced7-4c3e-aca0-10e69ce0cb02Deploy - Configure Azure IoT Hubs to use private DNS zonesAzure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. You can use private DNS zones to override the DNS resolution by using your own custom domain names for a private endpoint. This policy deploys a private DNS Zone for IoT Hub private endpoints. Default: deployIfNotExists
Allowed: (deployIfNotExists, disabled)
Network Contributor
Contributor
2021-03-02 15:11:40
add: c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (3.0.1 > 4.0.0)
Storage0e07b2e9-6cd9-4c40-9ccb-52817b95133bModify - Configure Azure File Sync to disable public network accessThe Azure File Sync's internet-accessible public endpoint are disabled by your organizational policy. You may still access the Storage Sync Service via its private endpoint(s). Default: Modify
Allowed: (Modify, Disabled)
Contributor
2021-03-02 15:11:40
add: 0e07b2e9-6cd9-4c40-9ccb-52817b95133b
Automation0c2b3618-68a8-4034-a150-ff4abc873462Private endpoint connections on Automation Accounts should be enabledPrivate endpoint connections allow secure communication by enabling private connectivity to Automation accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Azure Automation at https://docs.microsoft.com/azure/automation/how-to/private-link-security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-02 15:11:40
add: 0c2b3618-68a8-4034-a150-ff4abc873462
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dKubernetes clusters should be accessible only over HTTPSUse of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default: deny
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (5.0.2 > 6.0.0)
App Configuration7a860e27-9ca2-4fc6-822d-c2d248c300dfConfigure private DNS zones for private endpoints connected to App ConfigurationUse private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve app configuration instances. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-03-02 15:11:40
add: 7a860e27-9ca2-4fc6-822d-c2d248c300df
Internet of Things0d40b058-9f95-4a19-93e3-9b0330baa2a3Private endpoint should be enabled for IoT HubPrivate endpoint connections enforce secure communication by enabling private connectivity to IoT Hub. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. Default: Audit
Allowed: (Audit, Disabled)
2021-03-02 15:11:40
add: 0d40b058-9f95-4a19-93e3-9b0330baa2a3
Event Grid36f4658a-848a-467b-881c-e6fa20cf75fcDeploy - Configure Azure Event Grid domains with private endpointsPrivate endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
EventGrid Contributor
2021-03-02 15:11:40
add: 36f4658a-848a-467b-881c-e6fa20cf75fc
SQL28b0b1e5-17ba-4963-a7a4-5a1ab4400a0bConfigure Azure SQL Server to disable public network accessDisabling the public network access property shuts down public connectivity such that Azure SQL Server can only be accessed from a private endpoint. This configuration disables the public network access for all databases under the Azure SQL Server. Default: Modify
Allowed: (Modify, Disabled)
SQL Server Contributor
2021-03-02 15:11:40
add: 28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b
Monitoring3be22e3b-d919-47aa-805e-8985dbeb0ad9Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale setsDeploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-03-02 15:11:40
change: Major (1.3.0 > 2.0.0)
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Computeca91455f-eace-4f96-be59-e6e2c35b4816Managed disks should be double encrypted with both platform-managed and customer-managed keysHigh security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at https://aka.ms/disks-doubleEncryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-02 15:11:40
add: ca91455f-eace-4f96-be59-e6e2c35b4816
Internet of Things47031206-ce96-41f8-861b-6a915f3de284[Preview]: IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-02 15:11:40
add: 47031206-ce96-41f8-861b-6a915f3de284
HDInsightb0ab5b05-1c98-40f7-bb9e-dc568e41b501Azure HDInsight clusters should be injected into a virtual networkInjecting Azure HDInsight clusters in a virtual network unlocks advanced HDInsight networking and security features and provides you with control over your network security configuration. Default: Audit
Allowed: (Audit, Disabled, Deny)
2021-03-02 15:11:40
add: b0ab5b05-1c98-40f7-bb9e-dc568e41b501
Monitoring0868462e-646c-4fe3-9ced-a733534b6a2cDeploy - Configure Log Analytics agent to be enabled on Windows virtual machinesDeploy Log Analytics agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2021-03-02 15:11:40
change: Major (1.1.0 > 2.0.0)
Computefc4d8e41-e223-45ea-9bf5-eada37891d87Virtual machines and virtual machine scale sets should have encryption at host enabledUse encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at https://aka.ms/vm-hbe. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-02 15:11:40
add: fc4d8e41-e223-45ea-9bf5-eada37891d87
App Service4d0bc837-6eff-477e-9ecd-33bf8d4212a5Function apps should use an Azure file share for its content directoryThe content directory of a function app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
2021-03-02 15:11:40
add: 4d0bc837-6eff-477e-9ecd-33bf8d4212a5
App Service74c3584d-afae-46f7-a20a-6f8adba71a16Ensure that 'Python version' is the latest, if used as a part of the API appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-02 15:11:40
change: Major (2.0.0 > 3.0.0)
Internet of Things2d6830fb-07eb-48e7-8c4d-2a442b35f0fbPublic network access on Azure IoT Hub should be disabledDisabling the public network access property improves security by ensuring your Azure IoT Hub can only be accessed from a private endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-02 15:11:40
add: 2d6830fb-07eb-48e7-8c4d-2a442b35f0fb
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (3.0.1 > 4.0.0)
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcKubernetes cluster containers should only listen on allowed portsRestrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0)
Compute702dd420-7fcc-42c5-afe8-4026edd20fe0OS and data disks should be encrypted with a customer-managed keyUse customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-02 15:11:40
add: 702dd420-7fcc-42c5-afe8-4026edd20fe0
Monitoring5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine imagesReports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-02 15:11:40
change: Major (1.0.1 > 2.0.0)
SQL8e8ca470-d980-4831-99e6-dc70d9f6af87Configure Azure SQL Server to enable private endpoint connectionsA private endpoint connection enables private connectivity to your Azure SQL Database via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
SQL Server Contributor
2021-03-02 15:11:40
add: 8e8ca470-d980-4831-99e6-dc70d9f6af87
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversPod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Kubernetes423dd1ba-798e-40e4-9c4d-b6902674b423[Preview]: Kubernetes clusters should disable automounting API credentialsDisable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Kubernetes9f061a12-e40d-4183-a00e-171812443373[Preview]: Kubernetes clusters should not use the default namespacePrevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Kubernetesd46c275d-1680-448d-b2ec-e495a3b6cc89Kubernetes cluster services should only use allowed external IPsUse allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Event Grid6fcec95c-fbdf-45e8-91e1-e3175d9c9ecaDeploy - Configure Azure Event Grid topics with private endpointsPrivate endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
EventGrid Contributor
2021-03-02 15:11:40
add: 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca
App Service7238174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-02 15:11:40
change: Major (2.0.0 > 3.0.0)
App Service324c7761-08db-4474-9661-d1039abc92eeAPI apps should use an Azure file share for its content directoryThe content directory of an API app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
2021-03-02 15:11:40
add: 324c7761-08db-4474-9661-d1039abc92ee
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceBlock pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Internet of Thingsbf684997-3909-404e-929c-d4a38ed23b2eDeploy - Configure Azure IoT Hubs with private endpointsA private endpoint is a private IP address allocated inside a customer-owned virtual network via which an Azure resource is reachable. This policy deploys a private endpoint for your IoT hub to allow services inside your virtual network to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
Contributor
2021-03-02 15:11:40
add: bf684997-3909-404e-929c-d4a38ed23b2e
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Monitoringe2dd799a-a932-4e9d-ac17-d473bc3c6c10Dependency agent should be enabled in virtual machine scale sets for listed virtual machine imagesReports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-03-02 15:11:40
change: Major (1.0.1 > 2.0.0)
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626[Preview]: Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesPods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Synapse3484ce98-c0c5-4c83-994b-c5ac24785218Azure Synapse workspaces should allow outbound data traffic only to approved targetsIncrease security of your Synapse workspace by allowing outbound data traffic only to approved targets. This helps prevention against data exfiltration by validating the target before sending data. Default: Audit
Allowed: (Audit, Disabled, Deny)
2021-03-02 15:11:40
add: 3484ce98-c0c5-4c83-994b-c5ac24785218
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eKubernetes clusters should use internal load balancersUse internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0)
App Servicedcbc65aa-59f3-4239-8978-3bb869d82604Web apps should use an Azure file share for its content directoryThe content directory of a web app should be located on an Azure file share. The storage account information for the file share must be provided before any publishing activity. To learn more about using Azure Files for hosting app service content refer to https://go.microsoft.com/fwlink/?linkid=2151594. Default: Audit
Allowed: (Audit, Disabled)
2021-03-02 15:11:40
add: dcbc65aa-59f3-4239-8978-3bb869d82604
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limitsEnforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0)
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (5.0.1 > 6.0.0)
Machine Learning5f0c7d88-c7de-45b8-ac49-db49e72eaa78Azure Machine Learning workspaces should use user-assigned managed identityManange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-03-02 15:11:40
add: 5f0c7d88-c7de-45b8-ac49-db49e72eaa78
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-03-02 15:11:40
change: Major (2.0.1 > 3.0.0)
Batch0ef5aac7-c064-427a-b87b-d47b3ddcaf73Configure Batch accounts with private endpointsPrivate endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to Batch accounts, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/batch/private-connectivity. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-03-02 15:11:40
add: 0ef5aac7-c064-427a-b87b-d47b3ddcaf73
Monitoring17b3de92-f710-4cf4-aa55-0e7859f1ed7b[ASC Private Preview] Configure system-assigned managed identity to enable Azure Monitor assignments on VMs[ASC Private Preview] Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor that do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default: Modify
Allowed: (Modify, Disabled)
Virtual Machine Contributor
2021-03-02 15:11:40
change: Minor, suffix remains equal (1.1.0-preview > 1.2.0-preview)
Monitoring17b3de92-f710-4cf4-aa55-0e7859f1ed7b[ASC Private Preview] Configure system-assigned managed identity to enable Azure Monitor assignments on VMs[ASC Private Preview] Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor that do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default: Modify
Allowed: (Modify, Disabled)
Virtual Machine Contributor
2021-02-23 16:24:42
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Batch009a0c92-f5b4-4776-9b66-4ed2b4775563Private endpoint connections on Batch accounts should be enabledPrivate endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. Learn more about private endpoints in Batch at https://docs.microsoft.com/azure/batch/private-connectivity. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-23 16:24:42
add: 009a0c92-f5b4-4776-9b66-4ed2b4775563
App Configuration3d9f5e4c-9947-4579-9539-2a7695fbc187App Configuration should disable public network accessDisabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-23 16:24:42
add: 3d9f5e4c-9947-4579-9539-2a7695fbc187
Kubernetes6c66c325-74c8-42fd-a286-a74b0e2939d8Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspaceDeploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-02-23 16:24:42
add: 6c66c325-74c8-42fd-a286-a74b0e2939d8
App Configuration89c8a434-18f0-402c-8147-630a8dea54e0App Configuration should use a SKU that supports private linkWhen using a supported SKU, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-23 16:24:42
add: 89c8a434-18f0-402c-8147-630a8dea54e0
Batch4ec38ebc-381f-45ee-81a4-acbc4be878f8Deploy - Configure private DNS zones for private endpoints that connect to Batch accountsPrivate DNS records allow private connections to private endpoints. Private endpoint connections allow secure communication by enabling private connectivity to Batch accounts without a need for public IP addresses at the source or destination. For more information on private endpoints and DNS zones in Batch, see https://docs.microsoft.com/azure/batch/private-connectivity. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
2021-02-23 16:24:42
add: 4ec38ebc-381f-45ee-81a4-acbc4be878f8
Key Vault951af2fa-529b-416e-ab6e-066fd85ac459Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspaceDeploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-02-23 16:24:42
add: 951af2fa-529b-416e-ab6e-066fd85ac459
Storage6f8f98a4-f108-47cb-8e98-91a0d85cd474Configure diagnostic settings for storage accounts to Log Analytics workspaceDeploys the diagnostic settings for storage accounts to stream resource logs to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-02-23 16:24:42
add: 6f8f98a4-f108-47cb-8e98-91a0d85cd474
Networkb6e2945c-0b7b-40f5-9233-7a5323b5cdc6Network Watcher should be enabledNetwork Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-23 16:24:42
change: Major (1.1.0 > 2.0.0)
Event Grid6fcec95c-fbdf-45e8-91e1-e3175d9c9ecaDeploy - Configure Azure Event Grid topics with private endpointsPrivate endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.n/an/a
2021-02-22 14:29:52
remove: 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca (i)
Event Grid36f4658a-848a-467b-881c-e6fa20cf75fcDeploy - Configure Azure Event Grid domains with private endpointsPrivate endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints.n/an/a
2021-02-22 14:29:52
remove: 36f4658a-848a-467b-881c-e6fa20cf75fc (i)
App Service2b9ad585-36bc-4615-b300-fd4435808332Managed identity should be used in your Web AppUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-17 14:28:42
change: Major (1.0.0 > 2.0.0)
Event Grid6fcec95c-fbdf-45e8-91e1-e3175d9c9ecaDeploy - Configure Azure Event Grid topics with private endpointsPrivate endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
EventGrid Contributor
2021-02-17 14:28:42
add: 6fcec95c-fbdf-45e8-91e1-e3175d9c9eca
Monitoringb3884c81-31aa-473d-a9bb-9466fe0ec2a0Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSMDeploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Log Analytics workspace when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-02-17 14:28:42
add: b3884c81-31aa-473d-a9bb-9466fe0ec2a0
Event Grid898e9824-104c-4965-8e0e-5197588fa5d4Modify - Configure Azure Event Grid domains to disable public network accessDisable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor
2021-02-17 14:28:42
add: 898e9824-104c-4965-8e0e-5197588fa5d4
Kubernetesd2e7ea85-6b44-4317-a0be-1b951587f626[Preview]: Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilitiesTo reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-02-17 14:28:42
add: d2e7ea85-6b44-4317-a0be-1b951587f626
Security Center509122b9-ddd9-47ba-a5f1-d0dac20be63cDeploy Workflow Automation for Azure Security Center regulatory complianceEnable automation of Azure Security Center regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-02-17 14:28:42
change: Major (2.0.0 > 3.0.0)
Event Gridf8f774be-6aee-492a-9e29-486ef81f3a68Azure Event Grid domains should disable public network accessDisabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-17 14:28:42
add: f8f774be-6aee-492a-9e29-486ef81f3a68
Event Grid1adadefe-5f21-44f7-b931-a59b54ccdb45Azure Event Grid topics should disable public network accessDisabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-17 14:28:42
add: 1adadefe-5f21-44f7-b931-a59b54ccdb45
Monitoringfa298e57-9444-42ba-bf04-86e8470e32c7Saved-queries in Azure Monitor should be saved in customer storage account for logs encryptionLink storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. Default: audit
Allowed: (audit, deny, disabled)
2021-02-17 14:28:42
add: fa298e57-9444-42ba-bf04-86e8470e32c7
App Service91a78b24-f231-4a8a-8da9-02c35b2b6510Resource logs in App Services should be enabledAudit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-17 14:28:42
add: 91a78b24-f231-4a8a-8da9-02c35b2b6510
Monitoringd550e854-df1a-4de9-bf44-cd894b39a95eAzure Monitor Logs for Application Insights should be linked to a Log Analytics workspaceLink the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. Default: audit
Allowed: (audit, deny, disabled)
2021-02-17 14:28:42
add: d550e854-df1a-4de9-bf44-cd894b39a95e
Monitoringea0dfaed-95fb-448c-934e-d6e713ce393dAzure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. Default: audit
Allowed: (audit, deny, disabled)
2021-02-17 14:28:42
add: ea0dfaed-95fb-448c-934e-d6e713ce393d
App Service0da106f2-4ca3-48e8-bc85-c638fe6aea8fManaged identity should be used in your Function AppUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-17 14:28:42
change: Major (1.0.0 > 2.0.0)
Key Vaulta6d2c800-5230-4a40-bff3-8268b4987d42Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSMDeploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Event Hub when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-02-17 14:28:42
add: a6d2c800-5230-4a40-bff3-8268b4987d42
Security Center0b15565f-aa9e-48ba-8619-45960f2c314dEmail notification to subscription owner for high severity alerts should be enabledTo ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-17 14:28:42
change: Major (1.0.1 > 2.0.0)
Event Gridd389df0a-e0d7-4607-833c-75a6fdac2c2dDeploy - Configure Azure Event Grid domains to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default: deployIfNotExists
Allowed: (deployIfNotExists, Disabled)
Network Contributor
2021-02-17 14:28:42
add: d389df0a-e0d7-4607-833c-75a6fdac2c2d
Event Grid36ea4b4b-0f7f-4a54-89fa-ab18f555a172Modify - Configure Azure Event Grid topics to disable public network accessDisable public network access for Azure Event Grid resource so that it isn't accessible over the public internet. This will help protect them against data leakage risks. You can limit exposure of the your resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. Default: Modify
Allowed: (Modify, Disabled)
EventGrid Contributor
2021-02-17 14:28:42
add: 36ea4b4b-0f7f-4a54-89fa-ab18f555a172
Security Centerf1525828-9a90-4fcf-be48-268cdd02361eDeploy Workflow Automation for Azure Security Center alertsEnable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-02-17 14:28:42
change: Major (2.0.0 > 3.0.0)
Event Grid36f4658a-848a-467b-881c-e6fa20cf75fcDeploy - Configure Azure Event Grid domains with private endpointsPrivate endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your resources, they'll be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Network Contributor
EventGrid Contributor
2021-02-17 14:28:42
add: 36f4658a-848a-467b-881c-e6fa20cf75fc
Event Grid9830b652-8523-49cc-b1b3-e17dce1127caAzure Event Grid domains should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
2021-02-17 14:28:42
change: Patch (1.0.1 > 1.0.2)
Backupc717fb0c-d118-4c43-ab3d-ece30ac81fb3Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. Fixed: deployIfNotExistsMonitoring Contributor
Log Analytics Contributor
2021-02-17 14:28:42
change: Version remains equal, old suffix: preview (1.0.2-preview > 1.0.2)
Event Gridbaf19753-7502-405f-8745-370519b20483Deploy - Configure Azure Event Grid topics to use private DNS zonesUse private DNS zones to override the DNS resolution for a private endpoint. Learn more at: https://aka.ms/privatednszone. Default: deployIfNotExists
Allowed: (deployIfNotExists, Disabled)
Network Contributor
2021-02-17 14:28:42
add: baf19753-7502-405f-8745-370519b20483
Security Center73d6ab6c-2475-4850-afd6-43795f3492efDeploy Workflow Automation for Azure Security Center recommendationsEnable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-02-17 14:28:42
change: Major (2.0.0 > 3.0.0)
Event Grid4b90e17e-8448-49db-875e-bd83fb6f804fAzure Event Grid topics should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
2021-02-17 14:28:42
change: Patch (1.0.1 > 1.0.2)
App Servicec4d441f8-f9d9-4a9e-9cef-e82117cb3eefManaged identity should be used in your API AppUse a managed identity for enhanced authentication security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-17 14:28:42
change: Major (1.0.0 > 2.0.0)
Key Vaultc39ba22d-4428-4149-b981-70acb31fc383Azure Key Vault Managed HSM should have purge protection enabledMalicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-17 14:28:42
add: c39ba22d-4428-4149-b981-70acb31fc383
Monitoring1f68a601-6e6d-4e42-babf-3f643a047ea2Azure Monitor Logs clusters should be encrypted with customer-managed keyCreate Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. Default: audit
Allowed: (audit, deny, disabled)
2021-02-17 14:28:42
add: 1f68a601-6e6d-4e42-babf-3f643a047ea2
Key Vaulta2a5b911-5617-447e-a49e-59dbe0e0434bResource logs in Azure Key Vault Managed HSM should be enabledTo recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: https://docs.microsoft.com/azure/key-vault/managed-hsm/logging. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-17 14:28:42
add: a2a5b911-5617-447e-a49e-59dbe0e0434b
SQL89099bee-89e0-4b26-a5f4-165451757743SQL servers with auditing to storage account destination should be configured with 90 days retention or higherFor incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Patch (2.0.0 > 2.0.1)
Batch99e9ccd8-3db9-4592-b0d1-14b1715a4d8aAzure Batch account should use customer-managed keys to encrypt dataUse customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1)
HDInsight64d314f6-6062-4780-a861-c23e8951bee5Azure HDInsight clusters should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1)
Data Factory85bb39b5-2f66-49f8-9306-77da3ac5130f[Preview]: Azure Data Factory integration runtime should have a limit for number of coresTo manage your resources and costs, limit the number of cores for an integration runtime. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
add: 85bb39b5-2f66-49f8-9306-77da3ac5130f
SQL18adea5e-f416-4d0f-8aa8-d24321e3e274PostgreSQL servers should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.2 > 1.0.3)
Cosmos DB1f905d99-2ab7-462c-a6b0-f709acca6c8fAzure Cosmos DB accounts should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. Default: audit
Allowed: (audit, deny, disabled)
2021-02-10 14:43:58
change: Patch (1.0.1 > 1.0.2)
Data Lake057ef27e-665e-4328-8ea3-04b3122bd9fbResource logs in Azure Data Lake Store should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1)
General0a914e76-4921-4c19-b460-a2d36003525aAudit resource location matches resource group locationAudit that the resource location matches its resource group location Fixed: audit
2021-02-10 14:43:58
change: Major (1.0.0 > 2.0.0)
Key Vaultcf820ca0-f99e-4f3e-84fb-66e913812d21Resource logs in Key Vault should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1)
Stream Analyticsf9be5368-9bf5-4b84-9e0a-7850da98bb46Resource logs in Azure Stream Analytics should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1)
SQLb219b9cf-f672-4f96-9ab0-f5a3ac5e1c13SQL Database should avoid using GRS backup redundancyDatabases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Default: Deny
Allowed: (Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1)
SQL83cef61d-dbd1-4b20-a4fc-5fbc7da10833MySQL servers should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.2 > 1.0.3)
Cognitive Services67121cc7-ff39-4ab8-b7e3-95b84dab487dCognitive Services accounts should enable data encryption with a customer-managed keyCustomer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.2 > 1.0.3)
Cache7d092e0a-7acd-40d2-a975-dca21cae48c4Azure Cache for Redis should reside within a virtual networkAzure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.2 > 1.0.3)
Key Vault1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dKey vaults should have soft delete enabledDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.1 > 1.0.2)
Data Factory127ef6d7-242f-43b3-9eef-947faf1725d0[Preview]: Azure Data Factory linked services should use Key Vault for storing secretsTo ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
add: 127ef6d7-242f-43b3-9eef-947faf1725d0
Machine Learningba769a63-b8cc-4b2d-abf6-ac33c7204be8Azure Machine Learning workspaces should be encrypted with a customer-managed keyManage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.2 > 1.0.3)
Storage34c877ad-507e-4c82-993e-3452a6e0ad3cStorage accounts should restrict network accessNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.1.0 > 1.1.1)
Event Hub83a214f7-d01a-484b-91a9-ed54470c9a6aResource logs in Event Hub should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1)
Internet of Things383856f8-de7f-44a2-81fc-e5135b5c2aa4Resource logs in IoT Hub should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Major (2.0.0 > 3.0.1)
Data Factory4ec52d6d-beb7-40c4-9a9e-fe753254690eAzure data factories should be encrypted with a customer-managed keyUse customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1)
Container Registry5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580Container registries should be encrypted with a customer-managed keyUse customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.1.1 > 1.1.2)
Data Lakec95c74d9-38fe-4f0d-af86-0c7d626a315cResource logs in Data Lake Analytics should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1)
Data Factoryf78ccdb4-7bf4-4106-8647-270491d2978a[Preview]: Azure Data Factory linked services should use system-assigned managed identity authentication when it is supportedUsing system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
add: f78ccdb4-7bf4-4106-8647-270491d2978a
Data Factory6809a3d0-d354-42fb-b955-783d207c62a8[Preview]: Azure Data Factory linked service resource type should be in allow listDefine the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
add: 6809a3d0-d354-42fb-b955-783d207c62a8
Compute7c1b1214-f927-48bf-8882-84f0af6588b1Resource logs in Virtual Machine Scale Sets should be enabledIt is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Patch (2.0.0 > 2.0.1)
Batch428256e6-1fac-4f48-a757-df34c2b3336dResource logs in Batch accounts should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1)
Searchb4330a05-a843-4bc8-bf9a-cacce50c67f4Resource logs in Search services should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1)
Storage6fac406b-40ca-413b-bf8e-0bf964659c25Storage accounts should use customer-managed key for encryptionSecure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.1 > 1.0.2)
API for FHIR051cba44-2429-45b9-9649-46cec11c7119Azure API for FHIR should use a customer-managed key to encrypt data at restUse a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default: audit
Allowed: (audit, disabled)
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1)
Logic Apps34f95f76-5386-4de7-b824-0d8478470c9dResource logs in Logic Apps should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1)
SQLb79fa14e-238a-4c2d-b376-442ce508fc84Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspaceDeploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1)
Data Factory77d40665-3120-4348-b539-3192ec808307[Preview]: Azure Data Factory should use a Git repository for source controlEnable source control on data factories, to gain capabilities such as change tracking, collaboration, continuous integration, and deployment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-10 14:43:58
add: 77d40665-3120-4348-b539-3192ec808307
SQLa9934fd7-29f2-4e6d-ab3d-607ea38e9079SQL Managed Instances should avoid using GRS backup redundancyManaged Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Default: Deny
Allowed: (Deny, Disabled)
2021-02-10 14:43:58
change: Patch (1.0.0 > 1.0.1)
SQL7ea8a143-05e3-4553-abfe-f56bef8b0b70Configure Azure SQL database servers diagnostic settings to Log Analytics workspaceEnables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
SQL Security Manager
Log Analytics Contributor
2021-02-10 14:43:58
add: 7ea8a143-05e3-4553-abfe-f56bef8b0b70
Service Busf8d36e2f-389b-4ee4-898d-21aeb69a0f45Resource logs in Service Bus should be enabledAudit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-02-10 14:43:58
change: Major (3.0.0 > 4.0.1)
Backupc717fb0c-d118-4c43-ab3d-ece30ac81fb3Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.Deploy Diagnostic Settings for Recovery Services Vault to stream to Log Analytics workspace for Resource specific categories. If any of the Resource specific categories are not enabled, a new diagnostic setting is created. Fixed: deployIfNotExistsMonitoring Contributor
Log Analytics Contributor
2021-02-10 14:43:58
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)
Data Factory1cf164be-6819-4a50-b8fa-4bcaa4f98fb6Public network access on Azure Data Factory should be disabledDisabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-03 15:09:01
add: 1cf164be-6819-4a50-b8fa-4bcaa4f98fb6
SQLb79fa14e-238a-4c2d-b376-442ce508fc84Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspaceDeploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Monitoring Contributor
Log Analytics Contributor
2021-02-03 15:09:01
add: b79fa14e-238a-4c2d-b376-442ce508fc84
Security Centerffb6f416-7bd2-4488-8828-56585fef2be9Deploy export to Log Analytics workspace for Azure Security Center dataEnable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-02-03 15:09:01
change: Major (2.0.0 > 3.0.0)
Security Centerf1525828-9a90-4fcf-be48-268cdd02361eDeploy Workflow Automation for Azure Security Center alertsEnable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-02-03 15:09:01
change: Major (1.0.0 > 2.0.0)
Kubernetes41425d9f-d1a5-499a-9932-f8ed8453932cTemp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at hostTo enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-03 15:09:01
add: 41425d9f-d1a5-499a-9932-f8ed8453932c
Security Center73d6ab6c-2475-4850-afd6-43795f3492efDeploy Workflow Automation for Azure Security Center recommendationsEnable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-02-03 15:09:01
change: Major (1.0.0 > 2.0.0)
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dKubernetes clusters should be accessible only over HTTPSUse of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default: deny
Allowed: (audit, deny, disabled)
2021-02-03 15:09:01
change: Patch (5.0.1 > 5.0.2)
Azure Data Explorerec068d99-e9c7-401f-8cef-5bdde4e6ccf1Double encryption should be enabled on Azure Data ExplorerEnabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-03 15:09:01
change: Major (1.0.0 > 2.0.0)
Security Center509122b9-ddd9-47ba-a5f1-d0dac20be63cDeploy Workflow Automation for Azure Security Center regulatory complianceEnable automation of Azure Security Center regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-02-03 15:09:01
add: 509122b9-ddd9-47ba-a5f1-d0dac20be63c
Security Centercdfcce10-4578-4ecd-9703-530938e4abcbDeploy export to Event Hub for Azure Security Center dataEnable export to Event Hub of Azure Security Center data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2021-02-03 15:09:01
change: Major (2.0.0 > 3.0.0)
Automation56a5ee18-2ae6-4810-86f7-18e39ce5629bAzure Automation accounts should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-03 15:09:01
add: 56a5ee18-2ae6-4810-86f7-18e39ce5629b
API Managementef619a2c-cc4d-4d03-b2ba-8c94a834d85bAPI Management services should use a virtual networkAzure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Default: Audit
Allowed: (Audit, Disabled)
2021-02-03 15:09:01
change: Patch (1.0.0 > 1.0.1)
Azure Data Explorerf4b53539-8df9-40e4-86c6-6b607703bd4eDisk encryption should be enabled on Azure Data ExplorerEnabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-02-03 15:09:01
change: Major (1.0.0 > 2.0.0)
Event Huba1ad735a-e96f-45d2-a7b2-9a4932cab7ecEvent Hub namespaces should use a customer-managed key for encryptionAzure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters. Default: Audit
Allowed: (Audit, Disabled)
2021-01-27 16:54:46
add: a1ad735a-e96f-45d2-a7b2-9a4932cab7ec
Bot Service51522a96-0869-4791-82f3-981000c2c67fBot Service should be encrypted with a customer-managed keyAzure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption. Default: audit
Allowed: (audit, deny, disabled)
2021-01-27 16:54:46
add: 51522a96-0869-4791-82f3-981000c2c67f
Attestation7b256a2d-058b-41f8-bed9-3f870541c40aAzure Attestation providers should use private endpointsPrivate endpoints provide a way to connect Azure Attestation providers to your Azure resources without sending traffic over the public internet. By preventing public access, private endpoints help protect against undesired anonymous access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-27 16:54:46
add: 7b256a2d-058b-41f8-bed9-3f870541c40a
Batch74c5a0ae-5e48-4738-b093-65e23a060488Public network access should be disabled for Batch accountsDisabling public network access on a Batch account improves security by ensuring your Batch account can only be accessed from a private endpoint. Learn more about disabling public network access at https://docs.microsoft.com/azure/batch/private-connectivity. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-01-27 16:54:46
add: 74c5a0ae-5e48-4738-b093-65e23a060488
Security Center501541f7-f7e7-4cd6-868c-4190fdad3ac9A vulnerability assessment solution should be enabled on your virtual machinesAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-27 16:54:46
change: Major (2.0.0 > 3.0.0)
Service Bus295fc8b1-dc9f-4f53-9c61-3f313ceab40aService Bus Premium namespaces should use a customer-managed key for encryptionAzure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces. Default: Audit
Allowed: (Audit, Disabled)
2021-01-27 16:54:46
add: 295fc8b1-dc9f-4f53-9c61-3f313ceab40a
Guest Configuration5752e6d6-1206-46d8-8ab1-ecc2f71a8112Windows web servers should be configured to use secure communication protocolsTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-27 16:54:46
change: Major (1.0.0 > 2.0.0)
Kubernetes0a15ec92-a229-4763-bb14-0ea34a568f8dAzure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clustersAzure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit, Disabled)
2021-01-27 16:54:46
change: Patch, old suffix: preview (1.0.1-preview > 1.0.2)
Key Vault5f0bc445-3935-4915-9981-011aa2b46147[Preview]: Private endpoint should be configured for Key VaultPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-01-27 16:54:46
change: Minor, suffix remains equal (1.0.2-preview > 1.1.0-preview)
Bot Service6164527b-e1ee-4882-8673-572f425f5e0aBot Service endpoint should be a valid HTTPS URIData can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. Default: audit
Allowed: (audit, deny, disabled)
2021-01-27 16:54:46
change: Patch (1.0.0 > 1.0.1)
HDInsightd9da03a1-f3c3-412a-9709-947156872263Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodesData can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-01-22 09:14:53
add: d9da03a1-f3c3-412a-9709-947156872263
Security Centerb4d66858-c922-44e3-9566-5cdb7a7be744[Deprecated]: A security contact phone number should be provided for your subscriptionEnter a phone number to receive notifications when Azure Security Center detects compromised resources - This policy is deprecated because phone numbers are no longer used in any scenario by Azure Security Center Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2021-01-22 09:14:53
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
HDInsight1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6Azure HDInsight clusters should use encryption at host to encrypt data at restEnabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-01-22 09:14:53
add: 1fd32ebd-e4c3-4e13-a54a-d7422d4d95f6
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Authentication to Linux machines should require SSH keysAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-22 09:14:53
change: Patch (2.0.0 > 2.0.1)
Security Center1537496a-b1e8-482b-a06a-1cc2415cdc7b[Preview]: Configure supported Windows machines to automatically install the Azure Security agentConfigure supported Windows machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-01-22 09:14:53
add: 1537496a-b1e8-482b-a06a-1cc2415cdc7b
Computeac34a73f-9fa5-4067-9247-a3ecae514468Configure disaster recovery on virtual machines by enabling replicationVirtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. To learn more about disaster recovery, visit https://aka.ms/asr-doc. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Owner
2021-01-22 09:14:53
add: ac34a73f-9fa5-4067-9247-a3ecae514468
Security Center5f8eb305-9c9f-4abe-9bb0-df220d9faba2[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agentConfigure supported Linux virtual machines to automatically install the Azure Security agent. Security Center collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Target virtual machines must be in a supported location. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2021-01-22 09:14:53
add: 5f8eb305-9c9f-4abe-9bb0-df220d9faba2
Monitoringca817e41-e85a-4783-bc7f-dc532d36235eConfigure Windows virtual machines with Azure Monitor AgentDeploy Azure Monitor Agent for Windows virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed. The list of OS images is updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-01-22 09:14:53
add: ca817e41-e85a-4783-bc7f-dc532d36235e
Guest Configurationfc9b3da7-8347-4380-8e70-0a0361d8dedd[Preview]: Linux machines should meet requirements for the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-22 09:14:53
change: Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
Monitoringa4034bc6-ae50-406d-bf76-50f4ee5a7811Configure Linux virtual machines with Azure Monitor AgentDeploy Azure Monitor Agent for Linux virtual machines if the virtual machine image (OS) and location are in the list defined and the agent is not installed. The list of OS images is updated over time as support is increased. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Virtual Machine Contributor
2021-01-22 09:14:53
add: a4034bc6-ae50-406d-bf76-50f4ee5a7811
Synapse0049a6b3-a662-4f3e-8635-39cf44ace45aVulnerability assessment should be enabled on your Synapse workspacesDiscover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-22 09:14:53
add: 0049a6b3-a662-4f3e-8635-39cf44ace45a
Security Centerae89ebca-1c92-4898-ac2c-9f63decb045cGuest Configuration extension should be installed on your machinesTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-22 09:14:53
change: Patch (1.0.0 > 1.0.1)
Security Centerd26f7642-7545-4e18-9b75-8c9bbdee3a9aVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identityThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-22 09:14:53
change: Patch (1.0.0 > 1.0.1)
HDInsight64d314f6-6062-4780-a861-c23e8951bee5Azure HDInsight clusters should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/hdi.cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-01-22 09:14:53
add: 64d314f6-6062-4780-a861-c23e8951bee5
Monitoring17b3de92-f710-4cf4-aa55-0e7859f1ed7b[ASC Private Preview] Configure system-assigned managed identity to enable Azure Monitor assignments on VMs[ASC Private Preview] Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor that do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. Default: Modify
Allowed: (Modify, Disabled)
Virtual Machine Contributor
2021-01-22 09:14:53
add: 17b3de92-f710-4cf4-aa55-0e7859f1ed7b
Security Center760a85ff-6162-42b3-8d70-698e268f648c[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solutionMonitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2021-01-22 09:14:53
change: Version remains equal, new suffix: deprecated (3.0.0 > 3.0.0-deprecated)
Guest Configurationbed48b13-6647-468e-aa2f-1af1d3f4dd40Windows Defender Exploit Guard should be enabled on your machinesWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-22 09:14:53
change: Patch (1.1.0 > 1.1.1)
Guest Configuration72650e9f-97bc-4b2a-ab5f-9781a9fcecbc[Preview]: Windows machines should meet requirements of the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-22 09:14:53
add: 72650e9f-97bc-4b2a-ab5f-9781a9fcecbc
SQL1b8ca024-1d5c-4dec-8995-b1a932b41780Public network access on Azure SQL Database should be disabledDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-01-13 16:08:35
change: Minor (1.0.1 > 1.1.0)
Data Factory4ec52d6d-beb7-40c4-9a9e-fe753254690eAzure data factories should be encrypted with a customer-managed keyUse customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-01-13 16:08:35
add: 4ec52d6d-beb7-40c4-9a9e-fe753254690e
SQL7698e800-9299-47a6-b3b6-5a0fee576eedPrivate endpoint connections on Azure SQL Database should be enabledPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Default: Audit
Allowed: (Audit, Disabled)
2021-01-13 16:08:35
change: Minor (1.0.1 > 1.1.0)
Kubernetesd46c275d-1680-448d-b2ec-e495a3b6cc89Kubernetes cluster services should only use allowed external IPsUse allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2021-01-13 16:08:35
add: d46c275d-1680-448d-b2ec-e495a3b6cc89
Security Center5c607a2e-c700-4744-8254-d77e7c9eb5e4External accounts with write permissions should be removed from your subscriptionExternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centeraa633080-8b72-40c4-a2d7-d00c03e80bedMFA should be enabled on accounts with owner permissions on your subscriptionMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centeraf6cd1bd-1635-48cb-bde7-5b15693900b9Monitor missing Endpoint Protection in Azure Security CenterServers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Center22730e10-96f6-4aac-ad84-9383d35b5917Management ports should be closed on your virtual machinesOpen remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centerf8456c1c-aa66-4dfb-861a-25d127b775c9External accounts with owner permissions should be removed from your subscriptionExternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Center09024ccc-0c5f-475e-9457-b7c0d9ed487bThere should be more than one owner assigned to your subscriptionIt is recommended to designate more than one subscription owner in order to have administrator access redundancy. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centerf6de0be7-9a8a-4b8a-b349-43cf02d22f7cInternet-facing virtual machines should be protected with network security groupsProtect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Center6ba6d016-e7c3-4842-b8f2-4992ebc0d72dSQL servers on machines should have vulnerability findings resolvedSQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
add: 6ba6d016-e7c3-4842-b8f2-4992ebc0d72d
Security Center47a6b606-51aa-4496-8bb7-64b11cf66adcAdaptive application controls for defining safe applications should be enabled on your machinesEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centere1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15Vulnerabilities in security configuration on your machines should be remediatedServers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Center86b3d65f-7626-441e-b690-81a8b71cff60System updates should be installed on your machinesMissing security system updates on your servers will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centerfeedbf84-6b99-488c-acc2-71c829aa5ffcSQL databases should have vulnerability findings resolvedMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (3.0.0 > 4.0.0)
Security Centere8cbc669-f12d-49eb-93e7-9273119e9933Vulnerabilities in container security configurations should be remediatedAudit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Center4f11b553-d42e-4e3a-89be-32ca364cad4cA maximum of 3 owners should be designated for your subscriptionIt is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Batch99e9ccd8-3db9-4592-b0d1-14b1715a4d8aAzure Batch account should use customer-managed keys to encrypt dataUse customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/Batch-CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
2021-01-05 16:06:49
add: 99e9ccd8-3db9-4592-b0d1-14b1715a4d8a
Security Center08e6af2d-db70-460a-bfe9-d5bd474ba9d6Adaptive network hardening recommendations should be applied on internet facing virtual machinesAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.1 > 3.0.0)
SQL36d49e87-48c4-4f2e-beed-ba4ed02b71f5Deploy Threat Detection on SQL serversThis policy ensures that Threat Detection is enabled on SQL Servers. Fixed: DeployIfNotExistsSQL Security Manager
2021-01-05 16:06:49
change: Major (1.1.0 > 2.0.0)
Monitoring6fc8115b-2008-441f-8c61-9b722c1e537fWorkbooks should be saved to storage accounts that you controlWith bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos Default: audit
Allowed: (deny, audit, disabled)
2021-01-05 16:06:49
add: 6fc8115b-2008-441f-8c61-9b722c1e537f
Security Center3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4Vulnerabilities in security configuration on your virtual machine scale sets should be remediatedAudit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Center5f76cf89-fbf2-47fd-a3f4-b891fa780b60External accounts with read permissions should be removed from your subscriptionExternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centere3576e28-8b17-4677-84c3-db2990658d64MFA should be enabled on accounts with read permissions on your subscriptionMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Center5f0f936f-2f01-4bf5-b6be-d423792fa562Vulnerabilities in Azure Container Registry images should be remediatedContainer image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (1.0.0 > 2.0.0)
Security Center123a3936-f020-408a-ba0c-47873faf1534Allowlist rules in your adaptive application control policy should be updatedMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centercc9835f2-9f6b-4cc8-ab4a-f8ef615eb349[Preview]: Sensitive data in your SQL databases should be classifiedAzure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major, suffix remains equal (2.0.0-preview > 3.0.0-preview)
Cosmos DB862e97cf-49fc-4a5c-9de4-40d4e2e7c8ebAzure Cosmos DB accounts should have firewall rulesFirewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default: Deny
Allowed: (Audit, Deny, Disabled)
2021-01-05 16:06:49
change: Patch (1.0.0 > 1.0.1)
Security Center9daedab3-fb2d-461e-b861-71790eead4f6All network ports should be restricted on network security groups associated to your virtual machineAzure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.1 > 3.0.0)
Security Center26a828e1-e88f-464e-bbb3-c134a282b9deEndpoint protection solution should be installed on virtual machine scale setsAudit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Center760a85ff-6162-42b3-8d70-698e268f648c[Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solutionMonitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Bot Service6164527b-e1ee-4882-8673-572f425f5e0aBot Service endpoint should be a valid HTTPS URIData can be tampered with during transmission. Protocols exist that provide encryption to address problems of misuse and tampering. To ensure your bots are communicating only over encrypted channels, set the endpoint to a valid HTTPS URI. This ensures the HTTPS protocol is used to encrypt your data in transit and is also often a requirement for compliance with regulatory or industry standards. Please visit: https://docs.microsoft.com/azure/bot-service/bot-builder-security-guidelines. Default: audit
Allowed: (audit, deny, disabled)
2021-01-05 16:06:49
add: 6164527b-e1ee-4882-8673-572f425f5e0a
Security Center6b1cbf55-e8b6-442f-ba4c-7246b6381474Deprecated accounts should be removed from your subscriptionDeprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Azure Stack Edgeb4ac1030-89c5-4697-8e00-28b5ba6a8811Azure Stack Edge devices should use double-encryptionTo secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device. Default: audit
Allowed: (audit, deny, disabled)
2021-01-05 16:06:49
add: b4ac1030-89c5-4697-8e00-28b5ba6a8811
Security Centerbb91dfba-c30d-4263-9add-9c2384e659a6Non-internet-facing virtual machines should be protected with network security groupsProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centera7aca53f-2ed4-4466-a25e-0b45ade68efdAzure DDoS Protection Standard should be enabledDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Center9297c21d-2ed6-4474-b48f-163f75654ce3MFA should be enabled accounts with write permissions on your subscriptionMulti-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centerbd352bd5-2853-4985-bf0d-73806b4a5744IP Forwarding on your virtual machine should be disabledEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centerb0f33259-77d7-4c9e-aac6-3aabcfae693cManagement ports of virtual machines should be protected with just-in-time network access controlPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centerc3f317a7-a95c-4547-b7e7-11017ebdf2feSystem updates on virtual machine scale sets should be installedAudit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Centerebb62a0c-3560-49e1-89ed-27e074e9f8adDeprecated accounts with owner permissions should be removed from your subscriptionDeprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2021-01-05 16:06:49
change: Major (2.0.0 > 3.0.0)
Security Center6e2593d9-add6-4083-9c9b-4b7d2188c899Email notification for high severity alerts should be enabledTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Key Vault0a075868-4c26-42ef-914c-5bc007359560[Preview]: Certificates should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Minor, suffix remains equal (2.0.0-preview > 2.1.0-preview)
Key Vault1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dKey vaults should have soft delete enabledDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Cognitive Services67121cc7-ff39-4ab8-b7e3-95b84dab487dCognitive Services accounts should enable data encryption with a customer-managed keyCustomer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2)
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversPod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
Kubernetes423dd1ba-798e-40e4-9c4d-b6902674b423[Preview]: Kubernetes clusters should disable automounting API credentialsDisable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
add: 423dd1ba-798e-40e4-9c4d-b6902674b423
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (2.0.1 > 3.0.1)
Key Vault98728c90-32c7-4049-8429-847dc0f4fe37[Preview]: Key Vault secrets should have an expiration dateSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Kubernetesb2fd3e59-6390-4f2b-8247-ea676bd03e2d[Deprecated]: Enforce unique ingress hostnames across namespaces in Kubernetes clusterThis policy enforces unique ingress hostnames across namespaces in a Kubernetes cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major, suffix remains equal (3.0.1-deprecated > 4.0.1-deprecated)
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceBlock pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1)
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (2.0.1 > 3.0.1)
Machine Learning40cec1dd-a100-4920-b15b-3024fe8901abAzure Machine Learning workspaces should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Kubernetes cluster pods should use specified labelsUse specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1)
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Kubernetes cluster services should listen only on allowed portsRestrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1)
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesPods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
Storage2a1a9cdf-e04d-429a-8416-3bfb72a1b26fStorage accounts should restrict network access using virtual network rulesProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Data Box86efb160-8de7-451d-bc08-5d475b0aadaeAzure Data Box jobs should use a customer-managed key to encrypt the device unlock passwordUse a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
add: 86efb160-8de7-451d-bc08-5d475b0aadae
Storage6fac406b-40ca-413b-bf8e-0bf964659c25Storage accounts should use customer-managed key for encryptionSecure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Kubernetesa27c700f-8a22-44ec-961c-41625264370b[Preview]: Kubernetes clusters should not use specific security capabilitiesPrevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
add: a27c700f-8a22-44ec-961c-41625264370b
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
Security Centerae89ebca-1c92-4898-ac2c-9f63decb045cGuest Configuration extension should be installed on your machinesTo ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
add: ae89ebca-1c92-4898-ac2c-9f63decb045c
Security Centerffb6f416-7bd2-4488-8828-56585fef2be9Deploy export to Log Analytics workspace for Azure Security Center dataEnable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-12-11 15:42:52
change: Major (1.0.0 > 2.0.0)
Kubernetes7d7be79c-23ba-4033-84dd-45e2a5ccdd67Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keysEncrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
add: 7d7be79c-23ba-4033-84dd-45e2a5ccdd67
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
Security Center4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7Subscriptions should have a contact email address for security issuesTo ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
SQL18adea5e-f416-4d0f-8aa8-d24321e3e274PostgreSQL servers should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2)
Kubernetes9f061a12-e40d-4183-a00e-171812443373[Preview]: Kubernetes clusters should not use the default namespacePrevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
add: 9f061a12-e40d-4183-a00e-171812443373
SQL7698e800-9299-47a6-b3b6-5a0fee576eedPrivate endpoint connections on Azure SQL Database should be enabledPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Default: Audit
Allowed: (Audit, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
SQLd9844e8a-1437-4aeb-a32c-0c992f056095Public network access should be disabled for MySQL serversDisable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2)
SQL1b8ca024-1d5c-4dec-8995-b1a932b41780Public network access on Azure SQL Database should be disabledDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Guest Configuration5fc23db3-dd4d-4c56-bcc7-43626243e601[Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabledThis policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
SQL048248b0-55cd-46da-b1ff-39efd52db260SQL managed instances should use customer-managed keys to encrypt data at restImplementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2)
SQLfdccbe47-f3e3-4213-ad5d-ea459b2fa077Public network access should be disabled for MariaDB serversDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2)
Storage4fa4b6c0-31ca-4c0d-b10d-24b96f62a751[Preview]: Storage account public access should be disallowedAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Patch, suffix remains equal (2.0.0-preview > 2.0.1-preview)
Cache7d092e0a-7acd-40d2-a975-dca21cae48c4Azure Cache for Redis should reside within a virtual networkAzure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2)
SQLb52376f7-9612-48a1-81cd-1ffe4b61032cPublic network access should be disabled for PostgreSQL serversDisable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2)
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dKubernetes clusters should be accessible only over HTTPSUse of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default: deny
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1)
Key Vault152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0[Preview]: Key Vault keys should have an expiration dateCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch, suffix remains equal (1.0.0-preview > 1.0.1-preview)
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (2.0.1 > 3.0.1)
App Serviceeaebaea7-8013-4ceb-9d14-7eb32271373cFunction apps should have 'Client Certificates (Incoming client certificates)' enabledClient certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. Default: Audit
Allowed: (Audit, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eKubernetes clusters should use internal load balancersUse internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1)
Key Vault0b60c0b2-2dc2-4e1c-b5c9-abbed971de53Key vaults should have purge protection enabledMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.1.0 > 1.1.1)
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
Security Centercdfcce10-4578-4ecd-9703-530938e4abcbDeploy export to Event Hub for Azure Security Center dataEnable export to Event Hub of Azure Security Center data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-12-11 15:42:52
change: Major (1.0.0 > 2.0.0)
Container Registryd0793b48-0edc-4296-a390-4c75d1bdfd71Container registries should not allow unrestricted network accessAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Event Grid4b90e17e-8448-49db-875e-bd83fb6f804fAzure Event Grid topics should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
Guest Configurationfaf25c8c-9598-4305-b4de-0aee1317fb31[Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabledThis policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Version remains equal, new suffix: deprecated (1.0.0 > 1.0.0-deprecated)
Machine Learningba769a63-b8cc-4b2d-abf6-ac33c7204be8Azure Machine Learning workspaces should be encrypted with a customer-managed keyManage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2)
Security Center0b15565f-aa9e-48ba-8619-45960f2c314dEmail notification to subscription owner for high severity alerts should be enabledTo ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Security Centerd26f7642-7545-4e18-9b75-8c9bbdee3a9aVirtual machines' Guest Configuration extension should be deployed with system-assigned managed identityThe Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at https://aka.ms/gcpol Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
add: d26f7642-7545-4e18-9b75-8c9bbdee3a9a
SignalR53503636-bcc9-4748-9663-5348217f160fAzure SignalR Service should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Data Boxc349d81b-9985-44ae-a8da-ff98d108ede8Azure Data Box jobs should enable double encryption for data at rest on the deviceEnable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
add: c349d81b-9985-44ae-a8da-ff98d108ede8
Container Registrye8eef0a8-67cf-4eb4-9386-14b0e78733d4Container registries should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
Network055aa869-bc98-4af8-bafc-23f1ab6ffe2cWeb Application Firewall (WAF) should be enabled for Azure Front Door Service serviceDeploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
SQL0d134df8-db83-46fb-ad72-fe0c9428c8ddSQL servers should use customer-managed keys to encrypt data at restImplementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Major (1.0.0 > 2.0.1)
App Configurationca610c1d-041c-4332-9d88-7ed3094967c7App Configuration should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/appconfig/private-endpoint. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2)
Cosmos DB1f905d99-2ab7-462c-a6b0-f709acca6c8fAzure Cosmos DB accounts should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
SQL83cef61d-dbd1-4b20-a4fc-5fbc7da10833MySQL servers should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.1 > 1.0.2)
Key Vault5f0bc445-3935-4915-9981-011aa2b46147[Preview]: Private endpoint should be configured for Key VaultPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)
Event Grid9830b652-8523-49cc-b1b3-e17dce1127caAzure Event Grid domains should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limitsEnforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1)
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcKubernetes cluster containers should only listen on allowed portsRestrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1)
Key Vault55615ac9-af46-4a59-874e-391cc3dfb490[Preview]: Azure Key Vault should disable public network accessDisable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch, suffix remains equal (1.0.1-preview > 1.0.2-preview)
Security Center475aae12-b88a-4572-8b36-9b712b2b3a17Auto provisioning of the Log Analytics agent should be enabled on your subscriptionTo monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Kubernetes cluster should not allow privileged containersDo not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (4.0.1 > 5.0.1)
VM Image Builder2154edb9-244f-4741-9970-660785bccdaaVM Image Builder templates should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Default: Audit
Allowed: (Audit, Disabled, Deny)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationDo not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-12-11 15:42:52
change: Major (1.0.1 > 2.0.1)
SQLd38fc420-0735-4ef3-ac11-c806f651a570Long-term geo-redundant backup should be enabled for Azure SQL DatabasesThis policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Major (1.0.0 > 2.0.0)
Network564feb30-bf6a-4854-b4bb-0d2d2d1e6c66Web Application Firewall (WAF) should be enabled for Application GatewayDeploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.0.0 > 1.0.1)
SQL89099bee-89e0-4b26-a5f4-165451757743SQL servers with auditing to storage account destination should be configured with 90 days retention or higherFor incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-12-11 15:42:52
change: Major (1.0.0 > 2.0.0)
Container Registry5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580Container registries should be encrypted with a customer-managed keyUse customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-12-11 15:42:52
change: Patch (1.1.0 > 1.1.1)
Security Center08e6af2d-db70-460a-bfe9-d5bd474ba9d6Adaptive network hardening recommendations should be applied on internet facing virtual machinesAzure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-11-17 14:39:37
change: Patch (2.0.0 > 2.0.1)
Tags96d9a89c-0d67-41fc-899d-2b9599f76a24Add a tag to subscriptionsAdds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation. Fixed: modifyTag Contributor
2020-11-17 14:39:37
add: 96d9a89c-0d67-41fc-899d-2b9599f76a24
Synapse72d11df1-dd8a-41f7-8925-b05b960ebafcAzure Synapse workspaces should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/synapse-analytics/security/how-to-connect-to-workspace-with-private-links. Default: Audit
Allowed: (Audit, Disabled)
2020-11-17 14:39:37
add: 72d11df1-dd8a-41f7-8925-b05b960ebafc
Synapsef7d52b2d-e161-4dfa-a82b-55e564167385Azure Synapse workspaces should use customer-managed keys to encrypt data at restUse customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-17 14:39:37
add: f7d52b2d-e161-4dfa-a82b-55e564167385
Tags61a4d60b-7326-440e-8051-9f94394d4dd1Add or replace a tag on subscriptionsAdds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation. Fixed: modifyTag Contributor
2020-11-17 14:39:37
add: 61a4d60b-7326-440e-8051-9f94394d4dd1
Synapse56fd377d-098c-4f02-8406-81eb055902b8IP firewall rules on Azure Synapse workspaces should be removedRemoving all IP firewall rules improves security by ensuring your Azure Synapse workspace can only be accessed from a private endpoint. This configuration audits creation of firewall rules that allow public network access on the workspace. Default: Audit
Allowed: (Audit, Disabled)
2020-11-17 14:39:37
add: 56fd377d-098c-4f02-8406-81eb055902b8
Synapse2d9dbfa3-927b-4cf0-9d0f-08747f971650Managed workspace virtual network on Azure Synapse workspaces should be enabledEnabling a managed workspace virtual network ensures that your workspace is network isolated from other workspaces. Data integration and Spark resources deployed in this virtual network also provides user level isolation for Spark activities. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-17 14:39:37
add: 2d9dbfa3-927b-4cf0-9d0f-08747f971650
Monitoring053d3325-282c-4e5c-b944-24faffd30d77Deploy Log Analytics agent for Linux VMsDeploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-11-10 16:00:42
change: Major (1.2.0 > 2.0.0)
Stream Analytics87ba29ef-1ab3-4d82-b763-87fcd4f531f7Azure Stream Analytics jobs should use customer-managed keys to encrypt dataUse customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted. Default: audit
Allowed: (audit, deny, disabled)
2020-11-10 16:00:42
add: 87ba29ef-1ab3-4d82-b763-87fcd4f531f7
App Configuration967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1App Configuration should use a customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
change: Minor (1.0.1 > 1.1.0)
Azure Data Explorer81e74cea-30fd-40d5-802f-d72103c2aaaaAzure Data Explorer encryption at rest should use a customer-managed keyEnabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
add: 81e74cea-30fd-40d5-802f-d72103c2aaaa
Backup98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86Configure backup on virtual machines without a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2020-11-10 16:00:42
add: 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86
Backup345fa903-145c-4fe1-8bcd-93ec2adccde8Configure backup on virtual machines with a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupIncludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2020-11-10 16:00:42
add: 345fa903-145c-4fe1-8bcd-93ec2adccde8
Backup83644c87-93dd-49fe-bf9f-6aff8fd0834eConfigure backup on virtual machines with a given tag to a new recovery services vault with a default policyEnforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupIncludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2020-11-10 16:00:42
add: 83644c87-93dd-49fe-bf9f-6aff8fd0834e
API for FHIR1ee56206-5dd1-42ab-b02d-8aae8b1634ceAzure API for FHIR should use private linkAzure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. Default: Audit
Allowed: (Audit, Disabled)
2020-11-10 16:00:42
add: 1ee56206-5dd1-42ab-b02d-8aae8b1634ce
Security Centerfeedbf84-6b99-488c-acc2-71c829aa5ffcSQL databases should have vulnerability findings resolvedMonitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-11-10 16:00:42
change: Major (2.0.0 > 3.0.0)
Security Center80e94a21-c6cd-4c95-a2c7-beb5704e61c0Deploy - Configure suppression rules for Azure Security Center alertsSuppress Azure Security Center alerts to reduce alerts fatigue by deploying suppression rules on your management group or subscription. Fixed: deployIfNotExistsSecurity Admin
2020-11-10 16:00:42
add: 80e94a21-c6cd-4c95-a2c7-beb5704e61c0
Monitoring5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069Deploy Log Analytics agent for Linux virtual machine scale setsDeploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Fixed: deployIfNotExistsLog Analytics Contributor
Virtual Machine Contributor
2020-11-10 16:00:42
change: Major (1.2.0 > 2.0.0)
Backup09ce66bc-1220-4153-8104-e3f51c936913Configure backup on virtual machines without a given tag to an existing recovery services vault in the same locationEnforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMCentralBackupExcludeTag. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Virtual Machine Contributor
Backup Contributor
2020-11-10 16:00:42
change: Minor (1.0.0 > 1.1.0)
Portal04c655fe-0ac7-48ae-9a32-3a2e208c7624Shared dashboards should not have markdown tiles with inline contentDisallow creating a shared dashboard that has inline content in markdown tiles and enforce that the content should be stored as a markdown file that's hosted online. If you use inline content in the markdown tile, you cannot manage encryption of the content. By configuring your own storage, you can encrypt, double encrypt and even bring your own keys. Enabling this policy restricts users to use 2020-09-01-preview or above version of shared dashboards REST API. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
add: 04c655fe-0ac7-48ae-9a32-3a2e208c7624
Azure Data Explorerf4b53539-8df9-40e4-86c6-6b607703bd4eDisk encryption should be enabled on Azure Data ExplorerEnabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
add: f4b53539-8df9-40e4-86c6-6b607703bd4e
Storage4fa4b6c0-31ca-4c0d-b10d-24b96f62a751[Preview]: Storage account public access should be disallowedAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default: audit
Allowed: (audit, deny, disabled)
2020-11-10 16:00:42
change: Major, suffix remains equal (1.0.1-preview > 2.0.0-preview)
Azure Data Explorerec068d99-e9c7-401f-8cef-5bdde4e6ccf1Double encryption should be enabled on Azure Data ExplorerEnabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
add: ec068d99-e9c7-401f-8cef-5bdde4e6ccf1
Azure Data Explorer9ad2fd1f-b25f-47a2-aa01-1a5a779e6413Virtual network injection should be enabled for Azure Data ExplorerSecure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-11-10 16:00:42
add: 9ad2fd1f-b25f-47a2-aa01-1a5a779e6413
Synapse3a003702-13d2-4679-941b-937e58c443f0Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenantsProtect your Synapse workspace by only allowing connections to resources in approved Azure Active Directory (Azure AD) tenants. The approved Azure AD tenants can be defined during policy assignment. Default: Audit
Allowed: (Audit, Disabled, Deny)
2020-11-10 16:00:42
add: 3a003702-13d2-4679-941b-937e58c443f0
Guest Configurationd3b823c9-e0fc-4453-9fb2-8213b7338523Audit Linux machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Fixed: auditIfNotExists
2020-10-27 14:12:45
change: Major (2.0.0 > 3.0.0)
SQL32e6bbec-16b6-44c2-be37-c5b672d103cfAzure SQL Database should have the minimal TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled)
2020-10-27 14:12:45
change: Patch (1.0.0 > 1.0.1)
SQLa8793640-60f7-487c-b5c3-1d37215905c4SQL Managed Instance should have the minimal TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled)
2020-10-27 14:12:45
change: Patch (1.0.0 > 1.0.1)
Machine Learningba769a63-b8cc-4b2d-abf6-ac33c7204be8Azure Machine Learning workspaces should be encrypted with a customer-managed keyManage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-27 14:12:45
change: Patch (1.0.0 > 1.0.1)
Container Registry5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580Container registries should be encrypted with a customer-managed keyUse customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-27 14:12:45
change: Minor (1.0.0 > 1.1.0)
API for FHIR051cba44-2429-45b9-9649-46cec11c7119Azure API for FHIR should use a customer-managed key to encrypt data at restUse a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys. Default: audit
Allowed: (audit, disabled)
2020-10-27 14:12:45
add: 051cba44-2429-45b9-9649-46cec11c7119
SQL36d49e87-48c4-4f2e-beed-ba4ed02b71f5Deploy Threat Detection on SQL serversThis policy ensures that Threat Detection is enabled on SQL Servers. Fixed: DeployIfNotExistsSQL Security Manager
2020-10-27 14:12:45
change: Minor (1.0.0 > 1.1.0)
Guest Configuration0447bc18-e2f7-4c0d-aa20-bff034275be1Audit Linux machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Fixed: auditIfNotExists
2020-10-27 14:12:45
change: Major (2.0.0 > 3.0.0)
Monitoringc5447c04-a4d7-4ba8-a263-c9ee321a6858An activity log alert should exist for specific Policy operationsThis policy audits specific Policy operations with no activity log alerts configured. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-27 14:12:45
change: Major (2.0.0 > 3.0.0)
SQL057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9Vulnerability Assessment settings for SQL server should contain an email address to receive scan reportsEnsure that an email address is provided for the 'Send scan reports to' field in the Vulnerability Assessment settings. This email address receives scan result summary after a periodic scan runs on SQL servers. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-27 14:12:45
change: Major (1.0.0 > 2.0.0)
Key Vault0b60c0b2-2dc2-4e1c-b5c9-abbed971de53Key vaults should have purge protection enabledMalicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-23 13:31:09
change: Minor (1.0.0 > 1.1.0)
Key Vault1e66c121-a66a-4b1f-9b83-0fd99bf0fc2dKey vaults should have soft delete enabledDeleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-23 13:31:09
add: 1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d
App Service9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bcEnsure that 'Java version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.1 > 2.0.0)
App Service7261b898-8a84-4db8-9e04-18527132abb3Ensure that 'PHP version' is the latest, if used as a part of the WEB appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
Kubernetesa8eff44f-8c92-45c3-a3fb-9880802d67a7Deploy Azure Policy Add-on to Azure Kubernetes Service clustersUse Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. Fixed: deployIfNotExistsAzure Kubernetes Service Contributor Role
2020-10-20 13:29:33
add: a8eff44f-8c92-45c3-a3fb-9880802d67a7
App Service496223c3-ad65-4ecd-878a-bae78737e9edEnsure that 'Java version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service88999f4c-376a-45c8-bcb3-4058f713cf39Ensure that 'Java version' is the latest, if used as a part of the API appPeriodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service991310cd-e9f3-47bc-b7b6-f57b557d07dbEnsure that 'HTTP Version' is the latest, if used to run the API appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service8c122334-9d20-4eb8-89ea-ac9a705b74aeEnsure that 'HTTP Version' is the latest, if used to run the Web appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.1.0 > 2.0.0)
SQL24fba194-95d6-48c0-aea7-f65bf859c598Infrastructure encryption should be enabled for Azure Database for PostgreSQL serversEnable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-20 13:29:33
add: 24fba194-95d6-48c0-aea7-f65bf859c598
App Service1bc1795e-d44a-4d48-9b3b-6fff0fd5f9baEnsure that 'PHP version' is the latest, if used as a part of the API appPeriodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
SQL5e1de0e3-42cb-4ebc-a86d-61d0c619ca48Public network access should be disabled for PostgreSQL flexible serversDisabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-20 13:29:33
add: 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48
SQL3a58212a-c829-4f13-9872-6371df2fd0b4Infrastructure encryption should be enabled for Azure Database for MySQL serversEnable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-20 13:29:33
add: 3a58212a-c829-4f13-9872-6371df2fd0b4
App Service74c3584d-afae-46f7-a20a-6f8adba71a16Ensure that 'Python version' is the latest, if used as a part of the API appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
SQLc9299215-ae47-4f50-9c54-8a392f68a052Public network access should be disabled for MySQL flexible serversDisabling the public network access property improves security by ensuring your Azure Database for MySQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-20 13:29:33
add: c9299215-ae47-4f50-9c54-8a392f68a052
App Service7238174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Function appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Servicee2c1c086-2d84-4019-bff3-c44ccd95113cEnsure that 'HTTP Version' is the latest, if used to run the Function appPeriodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
App Service7008174a-fd10-4ef0-817e-fc820a951d73Ensure that 'Python version' is the latest, if used as a part of the Web appPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-10-20 13:29:33
change: Major (1.0.0 > 2.0.0)
Key Vault75c4f823-d65c-4f29-a733-01d0077fdbcb[Preview]: Keys should be the specified cryptographic type RSA or ECSome applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 75c4f823-d65c-4f29-a733-01d0077fdbcb
Key Vault152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0[Preview]: Key Vault keys should have an expiration dateCryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0
Key Vault5ff38825-c5d8-47c5-b70e-069a21955146[Preview]: Keys should have more than the specified number of days before expirationIf a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 5ff38825-c5d8-47c5-b70e-069a21955146
Key Vaultc26e4b24-cf98-4c67-b48b-5a25c4c69eb9[Preview]: Keys should not be active for longer than the specified number of daysSpecify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: c26e4b24-cf98-4c67-b48b-5a25c4c69eb9
Key Vault342e8053-e12e-4c44-be01-c3c2f318400f[Preview]: Secrets should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 342e8053-e12e-4c44-be01-c3c2f318400f
Key Vaultb0eb591a-5e70-4534-a8bf-04b9c489584a[Preview]: Secrets should have more than the specified number of days before expirationIf a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: b0eb591a-5e70-4534-a8bf-04b9c489584a
Key Vault82067dbb-e53b-4e06-b631-546d197452d9[Preview]: Keys using RSA cryptography should have a specified minimum key sizeSet the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 82067dbb-e53b-4e06-b631-546d197452d9
Key Vaultff25f3c8-b739-4538-9d07-3d6d25cfb255[Preview]: Keys using elliptic curve cryptography should have the specified curve namesKeys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: ff25f3c8-b739-4538-9d07-3d6d25cfb255
Key Vaulte8d99835-8a06-45ae-a8e0-87a91941ccfe[Preview]: Secrets should not be active for longer than the specified number of daysIf your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: e8d99835-8a06-45ae-a8e0-87a91941ccfe
Key Vault49a22571-d204-4c91-a7b6-09b1a586fbc9[Preview]: Keys should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 49a22571-d204-4c91-a7b6-09b1a586fbc9
Key Vault98728c90-32c7-4049-8429-847dc0f4fe37[Preview]: Key Vault secrets should have an expiration dateSecrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 98728c90-32c7-4049-8429-847dc0f4fe37
Key Vault587c79fe-dd04-4a5e-9d0b-f89598c7261b[Preview]: Keys should be backed by a hardware security module (HSM)An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key cannot leave a physical HSM which provides a greater level of security than a software key. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 587c79fe-dd04-4a5e-9d0b-f89598c7261b
Key Vault75262d3e-ba4a-4f43-85f8-9f72c090e5e3[Preview]: Secrets should have content type setA content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-16 12:27:50
add: 75262d3e-ba4a-4f43-85f8-9f72c090e5e3
General6fdb9205-3462-4cfc-87d8-16c7860b53f4[Deprecated]: Allow resource creation only in Japan data centersAllows resource creation in the following locations only: Japan East, Japan Westn/an/a
2020-10-15 14:28:11
remove: 6fdb9205-3462-4cfc-87d8-16c7860b53f4 (i)
Generale01598e8-6538-41ed-95e8-8b29746cd697[Deprecated]: Allow resource creation only in Japan data centersAllows resource creation in the following locations only: Japan East, Japan Westn/an/a
2020-10-15 14:28:11
remove: e01598e8-6538-41ed-95e8-8b29746cd697 (i)
Lighthouse7a8a51a3-ad87-4def-96f3-65a1839242b6Allow managing tenant ids to onboard through Azure LighthouseRestricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. Fixed: deny
2020-10-13 13:23:36
change: Patch (1.0.0 > 1.0.1)
Storage4733ea7b-a883-42fe-8cac-97454c2a9e4aStorage accounts should have infrastructure encryptionEnable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-10-07 16:00:33
add: 4733ea7b-a883-42fe-8cac-97454c2a9e4a
Lighthouse7a8a51a3-ad87-4def-96f3-65a1839242b6Allow managing tenant ids to onboard through Azure LighthouseRestricting Azure Lighthouse delegations to specific managing tenants increases security by limiting those who can manage your Azure resources. Fixed: deny
2020-09-30 14:32:32
add: 7a8a51a3-ad87-4def-96f3-65a1839242b6
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Authentication to Linux machines should require SSH keysAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-16 13:09:49
change: Previous DisplayName: Audit Linux virtual machines on which the use of passwords for SSH is allowed
Guest Configuration93507a81-10a4-4af0-9ee2-34cf25a96e98[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configurationbde62c94-ccca-4821-a815-92c1d31a76de[Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group contains any of the specified members
Kubernetes0a15ec92-a229-4763-bb14-0ea34a568f8dAzure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clustersAzure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit, Disabled)
2020-09-16 13:09:49
change: Previous DisplayName: [Preview]: Kubernetes Management Policy add-on should be installed and enabled on your clusters
Guest Configuration02a84be7-c304-421f-9bb7-5d2c26af54ad[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified oneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Guest Configurationbed48b13-6647-468e-aa2f-1af1d3f4dd40Windows Defender Exploit Guard should be enabled on your machinesWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-16 13:09:49
change: Previous DisplayName: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Guest Configurationcc7cda28-f867-4311-8497-a526129a8d19[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration144f1397-32f9-4598-8c88-118decc3ccba[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members
Guest Configurationb821191b-3a12-44bc-9c38-212138a29ff3[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members
Guest Configurationf3b44e5d-1456-475f-9c67-c66c4618e85a[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configuration5bb36dda-8a78-4df9-affd-4f05a8612a8a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified oneThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-16 13:09:49
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed ProcMountType
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
Guest Configuratione0a7e899-2ce2-4253-8a13-d808fdeb75afWindows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceBlock pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should not share host process ID or host IPC namespace
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversPod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pod FlexVolume volumes should only use allowed drivers
Guest Configuration43bb60fe-1d7e-4b82-9e93-496bfc99e7d5Windows machines should meet requirements for 'System Audit Policies - Account Logon'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Account Logon'
Guest Configuration8537fe96-8cbe-43de-b0ef-131bc72bc22aWindows machines should meet requirements for 'Windows Components'Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Components'
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
Guest Configuration3ff60f98-7fa4-410a-9f7f-0b00f5afdbddWindows machines should meet requirements for 'Security Options - Network Access'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Access'
Kubernetese345eecc-fa47-480f-9e88-67dcc122b164Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limitsEnforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster
Guest Configuration33936777-f2ac-45aa-82ec-07958ec9ade4Windows machines should meet requirements for 'Security Options - Audit'Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Audit'
Guest Configuration19be9779-c776-4dfa-8a15-a2fd5dc843d6Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should not use forbidden sysctl interfaces
Kubernetes95edb821-ddaf-4404-9732-666045e056b4Kubernetes cluster should not allow privileged containersDo not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Do not allow privileged containers in Kubernetes cluster
Guest Configurationd472d2c9-d6a3-4500-9f5f-b15f123005aaWindows machines should meet requirements for 'Security Options - Interactive Logon'Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Interactive Logon'
Kubernetes1a5b4dca-0b6f-4cf5-907c-56316bc1bf3dKubernetes clusters should be accessible only over HTTPSUse of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce HTTPS ingress in Kubernetes cluster
Guest Configuration87845465-c458-45f3-af66-dcd62176f397Windows machines should meet requirements for 'System Audit Policies - Privilege Use'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Privilege Use'
Kubernetes46592696-4c7b-4bf3-9e45-6c2763bdc0a6Kubernetes cluster pods should use specified labelsUse specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce labels on pods in Kubernetes cluster
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only run with approved user and group IDs
Guest Configuration94d9aca8-3757-46df-aa51-f218c5f11954Windows machines should meet requirements for 'System Audit Policies - Account Management'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Account Management'
Guest Configurationd6c69680-54f0-4349-af10-94dd05f4225eWindows machines should meet requirements for 'Security Options - Microsoft Network Client'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Client'
Guest Configuration12017595-5a75-4bb1-9d97-4c2c939ea3c3Windows machines should meet requirements for 'Security Options - System settings'Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - System settings'
Kubernetes440b515e-a580-421e-abeb-b159a61ddcbcKubernetes cluster containers should only listen on allowed portsRestrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure containers listen only on allowed ports in Kubernetes cluster
Guest Configurationbed48b13-6647-468e-aa2f-1af1d3f4dd40Windows Defender Exploit Guard should be enabled on your machinesWindows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabled
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesPods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods should only use allowed volume types
Kubernetes3fc4dc25-5baf-40d8-9b05-7fe74c1bc64eKubernetes clusters should use internal load balancersUse internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Enforce internal load balancers in Kubernetes cluster
Guest Configurationcaf2d518-f029-4f6b-833b-d7081702f253Windows machines should meet requirements for 'Security Options - Microsoft Network Server'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Microsoft Network Server'
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed seccomp profiles
Guest Configurationb4a4d1eb-0263-441b-84cb-a44073d8372dWindows machines should meet requirements for 'Security Options - Shutdown'Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Shutdown'
Guest Configuration2f262ace-812a-4fd0-b731-b38ba9e9708dWindows machines should meet requirements for 'Security Options - System objects'Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - System objects'
Guest Configuration2a7a701e-dff3-4da9-9ec5-42cb98594c0bWindows machines should meet requirements for 'System Audit Policies - Policy Change'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Policy Change'
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationDo not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes clusters should not allow container privilege escalation
Guest Configuration35d9882c-993d-44e6-87d2-db66ce21b636Windows machines should meet requirements for 'Windows Firewall Properties'Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Windows Firewall Properties'
Guest Configuration3aa2661b-02d7-4ba6-99bc-dc36b10489fdWindows machines should meet requirements for 'Administrative Templates - Control Panel'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Control Panel'
Guest Configuration6141c932-9384-44c6-a395-59e4c057d7c9Configure time zone on Windows machines.This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. Fixed: deployIfNotExistsContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Configure time zone on Windows machines.
Guest Configurationf2143251-70de-4e81-87a8-36cee5a2f29dWindows machines should meet requirements for 'Security Settings - Account Policies'Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Settings - Account Policies'
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed AppArmor profiles
Guest Configuratione068b215-0026-4354-b347-8fb2766f73a2Windows machines should meet requirements for 'User Rights Assignment'Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'User Rights Assignment'
Guest Configuration968410dc-5ca0-4518-8a5b-7b55f0530ea9Windows machines should meet requirements for 'Administrative Templates - System'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - System'
Guest Configuration1221c620-d201-468c-81e7-2817e6107e84Windows machines should meet requirements for 'Security Options - Network Security'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Network Security'
Kubernetes233a2a17-77ca-4fb1-9b6b-69223d272a44Kubernetes cluster services should listen only on allowed portsRestrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure services listen only on allowed ports in Kubernetes cluster
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods should only use approved host network and port range
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should run with a read only root file system
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only use allowed SELinux options
Guest Configurationf71be03e-e25b-4d0f-b8bc-9b3e309b66c0Windows machines should meet requirements for 'Security Options - Recovery console'Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Recovery console'
Guest Configuration8316fa92-d69c-4810-8124-62414f560dcfWindows machines should meet requirements for 'System Audit Policies - System'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - System'
Automanage270610db-8c04-438a-a739-e8e6745b22d3Configure virtual machines to be onboarded to Azure AutomanageAzure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2020-09-15 14:06:41
add: 270610db-8c04-438a-a739-e8e6745b22d3
Guest Configuration58383b73-94a9-4414-b382-4146eb02611bWindows machines should meet requirements for 'System Audit Policies - Detailed Tracking'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Authentication to Linux machines should require SSH keysAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Audit Linux virtual machines on which the use of passwords for SSH is allowed
Guest Configuration492a29ed-d143-4f03-b6a4-705ce081b463Windows machines should meet requirements for 'Security Options - User Account Control'Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - User Account Control'
Guest Configuration67e010c1-640d-438e-a3a5-feaccb533a98Windows machines should meet requirements for 'Administrative Templates - Network'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Administrative Templates - Network'
Guest Configurationee984370-154a-4ee8-9726-19d900e56fc0Windows machines should meet requirements for 'Security Options - Accounts'Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Accounts'
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster pod hostPath volumes should only use allowed host paths
Kubernetesfebd0533-8e55-448f-b837-bd0e06f16469Kubernetes cluster containers should only use allowed imagesUse images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: deny
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Ensure only allowed container images in Kubernetes cluster
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed capabilities
Guest Configuration8794ff4f-1a35-4e18-938f-0b22055067cdWindows machines should meet requirements for 'Security Options - Devices'Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'Security Options - Devices'
Guest Configuration35781875-8026-4628-b19b-f6efb4d88a1dWindows machines should meet requirements for 'System Audit Policies - Object Access'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-15 14:06:41
change: Previous DisplayName: [Preview]: Windows machines should meet requirements for 'System Audit Policies - Object Access'
Guest Configuration315c850a-272d-4502-8935-b79010405970[Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domainThis policy creates a Guest Configuration assignment to audit Windows virtual machines that are not joined to the specified domain. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain
Key Vault55615ac9-af46-4a59-874e-391cc3dfb490[Preview]: Azure Key Vault should disable public network accessDisable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-09-09 11:24:03
add: 55615ac9-af46-4a59-874e-391cc3dfb490
Guest Configuration9f658460-46b7-43af-8565-94fc0662be38[Deprecated]: Show audit results from Windows VMs that are not set to the specified time zoneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not set to the specified time zone. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that are not set to the specified time zone
Security Centera3a6ea0c-e018-4933-9ef0-5aaa1501449bLog Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoringSecurity Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: a3a6ea0c-e018-4933-9ef0-5aaa1501449b
Guest Configurationcc7cda28-f867-4311-8497-a526129a8d19[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain only specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain only the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration93507a81-10a4-4af0-9ee2-34cf25a96e98[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain all of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configuration8ff0b18b-262e-4512-857a-48ad0aeb9a78[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryptionThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption
Guest Configuration12f7e5d0-42a7-4630-80d8-54fb7cff9bd6[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installedThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed
Guest Configurationa2d0e922-65d0-40c4-8f87-ea6da2d307a2Audit Windows machines that do not restrict the minimum password length to 14 charactersRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: a2d0e922-65d0-40c4-8f87-ea6da2d307a2
Guest Configuration5aebc8d1-020d-4037-89a0-02043a7524ec[Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 charactersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration356a906e-05e5-4625-8729-90771e0ee934[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days
Guest Configurationbde62c94-ccca-4821-a815-92c1d31a76de[Deprecated]: Show audit results from Windows VMs if the Administrators group contains any of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group contains any of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group contains any of the specified members
Guest Configuration23020aa6-1135-4be2-bae2-149982b06eca[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 charactersThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration2d67222d-05fd-4526-a171-2ee132ad9e83[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that allow remote connections from accounts without passwords
Guest Configuration5752e6d6-1206-46d8-8ab1-ecc2f71a8112Windows web servers should be configured to use secure communication protocolsTo protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 5752e6d6-1206-46d8-8ab1-ecc2f71a8112
Guest Configuration934345e1-4dfb-4c70-90d7-41990dc9608bAudit Windows machines that do not contain the specified certificates in Trusted RootRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine Trusted Root certificate store (Cert:\LocalMachine\Root) does not contain one or more of the certificates listed by the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 934345e1-4dfb-4c70-90d7-41990dc9608b
Guest Configuration7a031c68-d6ab-406e-a506-697a19c634b0[Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabledThis policy creates a Guest Configuration assignment to audit Windows Server virtual machines on which Windows Serial Console is not enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled
Guest Configuration4ceb8dc2-559c-478b-a15b-733fbf1e3738Audit Windows machines that do not have a maximum password age of 70 daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 4ceb8dc2-559c-478b-a15b-733fbf1e3738
Guest Configuration0447bc18-e2f7-4c0d-aa20-bff034275be1Audit Linux machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are installed. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 0447bc18-e2f7-4c0d-aa20-bff034275be1
Guest Configurationebb67efd-3c46-49b0-adfe-5599eb944998Audit Windows machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is not found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: ebb67efd-3c46-49b0-adfe-5599eb944998
Guest Configurationfee5cb2b-9d9b-410e-afe3-2902d90d0004[Deprecated]: Show audit results from Linux VMs that do not have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that do not have the specified applications installed
Security Centerd62cfe2b-3ab0-4d41-980d-76803b58ca65Log Analytics agent health issues should be resolved on your machinesSecurity Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: d62cfe2b-3ab0-4d41-980d-76803b58ca65
Guest Configurationf0633351-c7b2-41ff-9981-508fc08553c2[Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installedThis policy creates a Guest Configuration assignment to audit Windows virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that have the specified applications installed
Guest Configurationc633f6a2-7f8b-4d9e-9456-02f0f04f5505Audit Windows machines that are not set to the specified time zoneRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the property StandardName in WMI class Win32_TimeZone does not match the selected time zone for the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: c633f6a2-7f8b-4d9e-9456-02f0f04f5505
Guest Configuration144f1397-32f9-4598-8c88-118decc3ccba[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group contains any of the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members
Guest Configurationda0f98fe-a24b-4ad5-af69-bd0400233661Audit Windows machines that do not store passwords using reversible encryptionRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: da0f98fe-a24b-4ad5-af69-bd0400233661
Guest Configuration4d1c04de-2172-403f-901b-90608c35c721[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installedThis policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed
Guest Configuration630ac30f-a234-4533-ac2d-e0df77acda51Audit Windows machines network connectivityRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a network connection status to an IP and TCP port does not match the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 630ac30f-a234-4533-ac2d-e0df77acda51
Guest Configurationf3b9ad83-000d-4dc1-bff0-6d54533dd03f[Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted RootThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configurationb2fc8f91-866d-4434-9089-5ebfe38d6fd8[Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocolsThis policy creates a Guest Configuration assignment to audit Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols
Guest Configurationf6ec09a3-78bf-4f8f-99dc-6c77182d0f99Audit Linux machines that have accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: f6ec09a3-78bf-4f8f-99dc-6c77182d0f99
Guest Configuration5bb36dda-8a78-4df9-affd-4f05a8612a8a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified oneThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration8b0de57a-f511-4d45-a277-17cb79cb163b[Deprecated]: Show audit results from Windows VMs with a pending rebootThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with a pending reboot. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs with a pending reboot
Guest Configurationc2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a[Deprecated]: Show audit results from Windows VMs on which the specified services are not installed and 'Running'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the specified services are not installed and 'Running'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the specified services are not installed and 'Running'
Guest Configurationf48b2913-1dc5-4834-8c72-ccc1dfd819bb[Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have the password complexity setting enabled
Guest Configuration69bf4abd-ca1e-4cf6-8b5a-762d42e61d4fAudit Windows machines that have the specified members in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f
Security Center6646a0bd-e110-40ca-bb97-84fcee63c414Service principals should be used to protect your subscriptions instead of management certificatesManagement certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 6646a0bd-e110-40ca-bb97-84fcee63c414
Guest Configuration84662df4-0e37-44a6-9ce1-c9d2150db18cAudit Windows machines that are not joined to the specified domainRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the value of the Domain property in WMI class win32_computersystem does not match the value in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 84662df4-0e37-44a6-9ce1-c9d2150db18c
Guest Configurationd38b4c26-9d2e-47d7-aefe-18d859a8706a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliantThis policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant
Guest Configuration5aa11bbc-5c76-4302-80e5-aba46a4282e7[Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 dayThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have a minimum password age of 1 day
Managed Application9db7917b-1607-4e7d-a689-bca978dd0633Application definition for Managed Application should use customer provided storage accountUse your own storage account to control the application definition data when this is a regulatory or compliance requirement. You can choose to store your managed application definition within a storage account provided by you during creation, so that its location and access can be fully managed by you to fulfill regulatory compliance requirements. Default: audit
Allowed: (audit, deny, disabled)
2020-09-09 11:24:03
add: 9db7917b-1607-4e7d-a689-bca978dd0633
Guest Configuration16390df4-2f73-4b42-af13-c801066763df[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 dayThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day
Guest Configuratione6955644-301c-44b5-a4c4-528577de6861Audit Linux machines that do not have the passwd file permissions set to 0644Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: e6955644-301c-44b5-a4c4-528577de6861
Guest Configurationbf16e0bb-31e1-4646-8202-60a235cc7e74Audit Windows machines that do not have the password complexity setting enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: bf16e0bb-31e1-4646-8202-60a235cc7e74
Guest Configurationcdbf72d9-ac9c-4026-8a3a-491a5ac59293[Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that allow re-use of the previous 24 passwords
SQLb219b9cf-f672-4f96-9ab0-f5a3ac5e1c13SQL Database should avoid using GRS backup redundancyDatabases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Default: Deny
Allowed: (Deny, Disabled)
2020-09-09 11:24:03
add: b219b9cf-f672-4f96-9ab0-f5a3ac5e1c13
Guest Configuration5b842acb-0fe7-41b0-9f40-880ec4ad84d8[Deprecated]: Show audit results from Linux VMs that have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that have the specified applications installed
SQLa9934fd7-29f2-4e6d-ab3d-607ea38e9079SQL Managed Instances should avoid using GRS backup redundancyManaged Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Default: Deny
Allowed: (Deny, Disabled)
2020-09-09 11:24:03
add: a9934fd7-29f2-4e6d-ab3d-607ea38e9079
Guest Configurationb18175dd-c599-4c64-83ba-bb018a06d35b[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration4221adbc-5c0f-474f-88b7-037a99e6114cAudit Windows VMs with a pending rebootRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is pending reboot for any of the following reasons: component based servicing, Windows Update, pending file rename, pending computer rename, configuration manager pending reboot. Each detection has a unique registry path. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 4221adbc-5c0f-474f-88b7-037a99e6114c
Guest Configuration24dde96d-f0b1-425e-884f-4a1421e2dcdc[Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have a maximum password age of 70 days
Guest Configurationf19aa1c1-6b91-4c27-ae6a-970279f03db9[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration32b1e4d4-6cd5-47b4-a935-169da8a5c262[Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'This policy creates a Guest Configuration assignment to audit Windows virtual machines on which the specified services are not installed and 'Running'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'
Guest Configurationd7ccd0ca-8d78-42af-a43d-6b7f928accbc[Deprecated]: Show audit results from Windows Server VMs on which Windows Serial Console is not enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows Server virtual machines on which Windows Serial Console is not enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows Server VMs on which Windows Serial Console is not enabled
Guest Configurationb821191b-3a12-44bc-9c38-212138a29ff3[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified membersThis policy creates a Guest Configuration assignment to audit Windows virtual machines in which the Administrators group does not contain only the specified members. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members
Guest Configuration106ccbe4-a791-4f33-a44a-06796944b8d5[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted RootThis policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configurationea53dbee-c6c9-4f0e-9f9e-de0039b78023Audit Linux machines that allow remote connections from accounts without passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: ea53dbee-c6c9-4f0e-9f9e-de0039b78023
Guest Configuration3470477a-b35a-49db-aca5-1073d04524fe[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that have accounts without passwords
Guest Configuration5e393799-e3ca-4e43-a9a5-0ec4648a57d9[Deprecated]: Show audit results from Windows VMs that do not have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified applications installed
Guest Configurationf4b245d4-46c9-42be-9b1a-49e2b5b94194[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days
Guest Configuration726671ac-c4de-4908-8c7d-6043ae62e3b6[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwordsThis policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords
Guest Configurationc5fbc59e-fb6f-494f-81e2-d99a671bdaa8[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days
Guest Configurationec49586f-4939-402d-a29e-6ff502b20592[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords
Guest Configurationa030a57e-4639-4e8f-ade9-a92f33afe7ee[Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expectedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configurationd3b823c9-e0fc-4453-9fb2-8213b7338523Audit Linux machines that don't have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Chef InSpec resource indicates that one or more of the packages provided by the parameter are not installed. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: d3b823c9-e0fc-4453-9fb2-8213b7338523
Guest Configurationc96f3246-4382-4264-bf6b-af0b35e23c3c[Deprecated]: Deploy prerequisites to audit Windows VMs with a pending rebootThis policy creates a Guest Configuration assignment to audit Windows virtual machines with a pending reboot. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs with a pending reboot
Guest Configuration9328f27e-611e-44a7-a244-39109d7d35ab[Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that contain certificates expiring within the specified number of days
Guest Configurationa29ee95c-0395-4515-9851-cc04ffe82a91[Deprecated]: Show audit results from Windows VMs that are not joined to the specified domainThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that are not joined to the specified domain. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that are not joined to the specified domain
Guest Configuration08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fdAudit Windows machines on which the DSC configuration is not compliantRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-DSCConfigurationStatus returns that the DSC configuration for the machine is not compliant. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 08a2f2d2-94b2-4a7b-aa3b-bb3f523ee6fd
Guest Configurationf3b44e5d-1456-475f-9c67-c66c4618e85a[Deprecated]: Show audit results from Windows VMs if the Administrators group doesn't contain all of the specified membersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines in which the Administrators group does not contain all of the specified members. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs in which the Administrators group does not contain all of the specified members
Guest Configuration7e84ba44-6d03-46fd-950e-5efa5a1112fa[Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that have not restarted within the specified number of days
Guest Configuration7227ebe5-9ff7-47ab-b823-171cd02fb90f[Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliantThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the DSC configuration is not compliant
Guest Configuration68511db2-bd02-41c4-ae6b-1900a012968a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expectedThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected
Security Centera4fe33eb-e377-4efb-ab31-0784311bc499Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoringThis policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: a4fe33eb-e377-4efb-ab31-0784311bc499
Guest Configuration1417908b-4bff-46ee-a2a6-4acc899320abAudit Windows machines that contain certificates expiring within the specified number of daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if certificates in the specified store have an expiration date out of range for the number of days given as parameter. The policy also provides the option to only check for specific certificates or exclude specific certificates, and whether to report on expired certificates. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 1417908b-4bff-46ee-a2a6-4acc899320ab
Guest Configuration3d2a3320-2a72-4c67-ac5f-caa40fbee2b2Audit Windows machines that have extra accounts in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 3d2a3320-2a72-4c67-ac5f-caa40fbee2b2
Guest Configuration7e56b49b-5990-4159-a734-511ea19b731c[Deprecated]: Show audit results from Windows VMs that have the specified applications installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have the specified applications installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that have the specified applications installed
Guest Configuratione6ebf138-3d71-4935-a13b-9c7fdddd94dfAudit Windows machines on which the specified services are not installed and 'Running'Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: e6ebf138-3d71-4935-a13b-9c7fdddd94df
Guest Configurationbeb6ccee-b6b8-4e91-9801-a5fa4260a104Audit Windows machines that have not restarted within the specified number of daysRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the WMI property LastBootUpTime in class Win32_Operatingsystem is outside the range of days provided by the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: beb6ccee-b6b8-4e91-9801-a5fa4260a104
Guest Configuration5b054a0d-39e2-4d53-bea3-9734cad2c69bAudit Windows machines that allow re-use of the previous 24 passwordsRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 5b054a0d-39e2-4d53-bea3-9734cad2c69b
Guest Configuration7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabledThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled
Guest Configuration30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7Audit Windows machines missing any of specified members in the Administrators groupRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7
Guest Configuration60ffe3e2-4604-4460-8f22-0f1da058266c[Deprecated]: Show audit results from Windows web servers that are not using secure communication protocolsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows web servers that are not using secure communication protocols (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows web servers that are not using secure communication protocols
Guest Configuration02a84be7-c304-421f-9bb7-5d2c26af54ad[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified oneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration884b209a-963b-4520-8006-d20cb3c213e0[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installedThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have the specified applications installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Linux VMs that have the specified applications installed
Guest Configurationc5b85cba-6e6f-4de4-95e1-f0233cd712acAudit Windows machines that have the specified applications installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the application name is found in any of the following registry paths: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall, HKCU:Software\Microsoft\Windows\CurrentVersion\Uninstall. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: c5b85cba-6e6f-4de4-95e1-f0233cd712ac
Key Vault5f0bc445-3935-4915-9981-011aa2b46147[Preview]: Private endpoint should be configured for Key VaultPrivate link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-09-09 11:24:03
add: 5f0bc445-3935-4915-9981-011aa2b46147
Guest Configurationc40c9087-1981-4e73-9f53-39743eda9d05[Deprecated]: Show audit results from Linux VMs that have accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Linux VMs that have accounts without passwords
Guest Configuration237b38db-ca4d-4259-9e47-7882441ca2c0Audit Windows machines that do not have a minimum password age of 1 dayRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 237b38db-ca4d-4259-9e47-7882441ca2c0
Guest Configurationc21f7060-c148-41cf-a68b-0ab3e14c764c[Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zoneThis policy creates a Guest Configuration assignment to audit Windows virtual machines that are not set to the specified time zone. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-09-09 11:24:03
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone
Guest Configuration6265018c-d7e2-432f-a75d-094d5f6f4465Audit Windows machines on which the Log Analytics agent is not connected as expectedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 6265018c-d7e2-432f-a75d-094d5f6f4465
Guest Configuration2d60d3b7-aa10-454c-88a8-de39d99d17c6[Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryptionThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-09-09 11:24:03
change: Previous DisplayName: Show audit results from Windows VMs that do not store passwords using reversible encryption
Guest Configuration58c460e9-7573-4bb2-9676-339c2f2486bbAudit Windows machines on which Windows Serial Console is not enabledRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine does not have the Serial Console software installed or if the EMS port number or baud rate are not configured with the same values as the policy parameters. Fixed: auditIfNotExists
2020-09-09 11:24:03
add: 58c460e9-7573-4bb2-9676-339c2f2486bb
Security Center5a913c68-0590-402c-a531-e57e19379da3[Deprecated]: Operating system version should be the most current version for your cloud service rolesKeeping the operating system (OS) on the most recent supported version for your cloud service roles enhances the systems security posture. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-09 11:24:03
add: 5a913c68-0590-402c-a531-e57e19379da3
Key Vaultf772fb64-8e40-40ad-87bc-7706e1949427[Preview]: Certificates should not expire within the specified number of daysManage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates that are within a specified number of days of expiration
Key Vault12ef42cb-9903-4e39-9c26-422d29570417[Preview]: Certificates should have the specified lifetime action triggersManage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificate lifetime action triggers
Key Vault1151cede-290b-4ba0-8b38-0ad145ac888f[Preview]: Certificates should use allowed key typesManage your organizational compliance requirements by restricting the key types allowed for certificates. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage allowed certificate key types
App Service86d97760-d216-4d81-a3ad-163087b2b6c3[Deprecated]: Ensure that Register with Azure Active Directory is enabled on API appThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3ee instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on API app
App Serviceab965db2-d2bf-4b64-8b39-c38ec8179461[Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function appPHP cannot be used with Function apps. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that 'PHP version' is the latest, if used as a part of the Function app
Key Vaultbd78111f-4953-4367-9fd5-7e08808b54bf[Preview]: Certificates using elliptic curve cryptography should have allowed curve namesManage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage allowed curve names for elliptic curve cryptography certificates
Key Vaultcee51871-e572-4576-855c-047c820360f0[Preview]: Certificates using RSA cryptography should have the specified minimum key sizeManage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage minimum key size for RSA certificates
Key Vault8e826246-c976-48f6-b03e-619bb92b3d82[Preview]: Certificates should be issued by the specified integrated certificate authorityManage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates issued by an integrated CA
Key Vaulta22f4a40-01d3-4c7d-8071-da157eeff341[Preview]: Certificates should be issued by the specified non-integrated certificate authorityManage your organizational compliance requirements by specifying the custom or internal certificate authorities that can issue certificates in your key vault. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificates issued by a non-integrated CA
App Servicec2e7ca55-f62c-49b2-89a4-d41eb661d2f0[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API appThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the API app
Guest Configurationfc9b3da7-8347-4380-8e70-0a0361d8dedd[Preview]: Linux machines should meet requirements for the Azure compute security baselineRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
add: fc9b3da7-8347-4380-8e70-0a0361d8dedd
App Service843664e0-7563-41ee-a9cb-7522c382d2c4[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web appThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the Web app
App Servicef0473e7a-a1ba-4e86-afb2-e829e11b01d8[Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function AppThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on Function App
Key Vault0a075868-4c26-42ef-914c-5bc007359560[Preview]: Certificates should have the specified maximum validity periodManage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. Default: audit
Allowed: (audit, deny, disabled)
2020-09-02 14:03:46
change: Previous DisplayName: [Preview]: Manage certificate validity period
Cognitive Services67121cc7-ff39-4ab8-b7e3-95b84dab487dCognitive Services accounts should enable data encryption with a customer-managed keyCustomer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Cognitive Services accounts should enable data encryption with customer managed key
Security Center501541f7-f7e7-4cd6-868c-4190fdad3ac9A vulnerability assessment solution should be enabled on your virtual machinesAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Vulnerability assessment should be enabled on virtual machines
App Serviceaa81768c-cb87-4ce2-bfaa-00baa10d760c[Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB AppThis policy is a duplicate of the respective Managed Identity policies. Please use /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 instead. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that Register with Azure Active Directory is enabled on WEB App
App Service10c1859c-e1a7-4df3-ab97-a487fa8059f6[Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function AppThis policy is not required since Azure App Service automatically updates and maintains the .NET Framework versions installed on the platform. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-09-02 14:03:46
change: Previous DisplayName: Ensure that '.Net Framework' version is the latest, if used as a part of the Function App
Synapse84ce0900-69cd-4b5e-b676-0b5a66d027c9[Preview]: Resource type for Azure Synapse linked service should be in allowed listYou can define an allowed list of resource types for Azure Synapse linked service to restrict creation or update on a scope. With this policy in place you can have a better control over the boundary of data movement.n/an/a
2020-08-31 13:45:20
remove: 84ce0900-69cd-4b5e-b676-0b5a66d027c9 (i)
Guest Configurationc648fbbb-591c-4acd-b465-ce9b176ca173Audit Windows machines that do not have the specified Windows PowerShell execution policyRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the Windows PowerShell command Get-ExecutionPolicy returns a value other than what was selected in the policy parameter. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-27 15:39:26
add: c648fbbb-591c-4acd-b465-ce9b176ca173
Networkc251913d-7d24-4958-af87-478ed3b9ba41Flow logs should be configured for every network security groupAudit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. Default: Audit
Allowed: (Audit, Disabled)
2020-08-27 15:39:26
add: c251913d-7d24-4958-af87-478ed3b9ba41
Guest Configuration3e4e2bd5-15a2-4628-b3e1-58977e9793f3Audit Windows machines that do not have the specified Windows PowerShell modules installedRequires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if a module isn't available in a location specified by the environment variable PSModulePath. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-27 15:39:26
add: 3e4e2bd5-15a2-4628-b3e1-58977e9793f3
Guest Configuration16f9b37c-4408-4c30-bc17-254958f2e2d6[Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the specified Windows PowerShell modules installed. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-27 15:39:26
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified Windows PowerShell modules installed
Storage4fa4b6c0-31ca-4c0d-b10d-24b96f62a751[Preview]: Storage account public access should be disallowedAnonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. Default: audit
Allowed: (audit, deny, disabled)
2020-08-27 15:39:26
add: 4fa4b6c0-31ca-4c0d-b10d-24b96f62a751
Machine Learning40cec1dd-a100-4920-b15b-3024fe8901abAzure Machine Learning workspaces should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-08-27 15:39:26
add: 40cec1dd-a100-4920-b15b-3024fe8901ab
Guest Configuratione0efc13a-122a-47c5-b817-2ccfe5d12615[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policyThis policy creates a Guest Configuration assignment to audit Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-27 15:39:26
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy
Guest Configurationf8036bd0-c10b-4931-86bb-94a878add855[Deprecated]: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policyThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines where Windows PowerShell is not configured to use the specified PowerShell execution policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-27 15:39:26
change: Previous DisplayName: Show audit results from Windows VMs that do not have the specified Windows PowerShell execution policy
84ce0900-69cd-4b5e-b676-0b5a66d027c9 Fixed:
2020-08-27 15:39:26
add: 84ce0900-69cd-4b5e-b676-0b5a66d027c9
Machine Learningba769a63-b8cc-4b2d-abf6-ac33c7204be8Azure Machine Learning workspaces should be encrypted with a customer-managed keyManage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/azureml-workspaces-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-08-27 15:39:26
add: ba769a63-b8cc-4b2d-abf6-ac33c7204be8
Guest Configuration90ba2ee7-4ca8-4673-84d1-c851c50d3baf[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installedThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the specified Windows PowerShell modules installed. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-27 15:39:26
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed
Network0db34a60-64f4-4bf6-bd44-f95c16cf34b9Deploy a flow log resource with target network security groupConfigures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces. Fixed: deployIfNotExistsContributor
2020-08-27 15:39:26
add: 0db34a60-64f4-4bf6-bd44-f95c16cf34b9
Guest Configuration498b810c-59cd-4222-9338-352ba146ccf3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'
Guest Configuration9178b430-2295-406e-bb28-f6a7a2a2f897[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Windows Components'
Guest Configurationc961dac9-5916-42e8-8fb1-703148323994[Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'User Rights Assignment'
Guest Configurationa9a33475-481d-4b81-9116-0bf02ffe67e8[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configurationbbcdd8fa-b600-4ee3-85b8-d184e3339652[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration3ff60f98-7fa4-410a-9f7f-0b00f5afdbddWindows machines should meet requirements for 'Security Options - Network Access'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd
Guest Configuration909c958d-1b99-4c74-b88f-46a5c5bc34f9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configurationf71be03e-e25b-4d0f-b8bc-9b3e309b66c0Windows machines should meet requirements for 'Security Options - Recovery console'Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: f71be03e-e25b-4d0f-b8bc-9b3e309b66c0
Guest Configuration2a7a701e-dff3-4da9-9ec5-42cb98594c0bWindows machines should meet requirements for 'System Audit Policies - Policy Change'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Policy Change' for auditing changes to system audit policies. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 2a7a701e-dff3-4da9-9ec5-42cb98594c0b
Guest Configurationddc0a4d5-5e08-43d5-9fd9-b586d8d7116b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration225e937e-d32e-4713-ab74-13ce95b3519a[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration3750712b-43d0-478e-9966-d2c26f6141b9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration29829ec2-489d-4925-81b7-bda06b1718e0[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration8e170edb-e0f5-497a-bb36-48b3280cec6a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuratione0a7e899-2ce2-4253-8a13-d808fdeb75afWindows machines should meet requirements for 'Administrative Templates - MSS (Legacy)'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - MSS (Legacy)' for automatic logon, screen saver, network behavior, safe DLL, and event log. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: e0a7e899-2ce2-4253-8a13-d808fdeb75af
Guest Configuration5c028d2a-1889-45f6-b821-31f42711ced8[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Network Security'
Guest Configurationec7ac234-2af5-4729-94d2-c557c071799d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configurationf2143251-70de-4e81-87a8-36cee5a2f29dWindows machines should meet requirements for 'Security Settings - Account Policies'Windows machines should have the specified Group Policy settings in the category 'Security Settings - Account Policies' for password history, age, length, complexity, and storing passwords using reversible encryption. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: f2143251-70de-4e81-87a8-36cee5a2f29d
Guest Configuration3d7b154e-2700-4c8c-9e46-cb65ac1578c2[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Devices'
Guest Configurationfcbc55c9-f25a-4e55-a6cb-33acb3be778b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuratione068b215-0026-4354-b347-8fb2766f73a2Windows machines should meet requirements for 'User Rights Assignment'Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: e068b215-0026-4354-b347-8fb2766f73a2
Guest Configuratione5b81f87-9185-4224-bf00-9f505e9f89f3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration7066131b-61a6-4917-a7e4-72e8983f0aa6[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration94d9aca8-3757-46df-aa51-f218c5f11954Windows machines should meet requirements for 'System Audit Policies - Account Management'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Management' for auditing application, security, and user group management, and other management events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 94d9aca8-3757-46df-aa51-f218c5f11954
Guest Configuration437a1f8f-8552-47a8-8b12-a2fee3269dd5[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'
Guest Configuration86880e5c-df35-43c5-95ad-7e120635775e[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configurationd472d2c9-d6a3-4500-9f5f-b15f123005aaWindows machines should meet requirements for 'Security Options - Interactive Logon'Windows machines should have the specified Group Policy settings in the category 'Security Options - Interactive Logon' for displaying last user name and requiring ctrl-alt-del. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: d472d2c9-d6a3-4500-9f5f-b15f123005aa
Guest Configuration815dcc9f-6662-43f2-9a03-1b83e9876f24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'
Guest Configurationc1e289c0-ffad-475d-a924-adc058765d65[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration492a29ed-d143-4f03-b6a4-705ce081b463Windows machines should meet requirements for 'Security Options - User Account Control'Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 492a29ed-d143-4f03-b6a4-705ce081b463
Guest Configuration97b595c8-fd10-400e-8543-28e2b9138b13[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration36e17963-7202-494a-80c3-f508211c826b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configurationb3802d79-dd88-4bce-b81d-780218e48280[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configurationddb53c61-9db4-41d4-a953-2abff5b66c12[Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration97646672-5efa-4622-9b54-740270ad60bf[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configuration60aeaf73-a074-417a-905f-7ce9df0ff77b[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration40917425-69db-4018-8dae-2a0556cef899[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration7040a231-fb65-4412-8c0a-b365f4866c24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'
Guest Configuration968410dc-5ca0-4518-8a5b-7b55f0530ea9Windows machines should meet requirements for 'Administrative Templates - System'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - System' for settings that control the administrative experience and Remote Assistance. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 968410dc-5ca0-4518-8a5b-7b55f0530ea9
Guest Configuration3aa2661b-02d7-4ba6-99bc-dc36b10489fdWindows machines should meet requirements for 'Administrative Templates - Control Panel'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Control Panel' for input personalization and prevention of enabling lock screens. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 3aa2661b-02d7-4ba6-99bc-dc36b10489fd
Guest Configuration8794ff4f-1a35-4e18-938f-0b22055067cdWindows machines should meet requirements for 'Security Options - Devices'Windows machines should have the specified Group Policy settings in the category 'Security Options - Devices' for undocking without logging on, installing print drivers, and formatting/ejecting media. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 8794ff4f-1a35-4e18-938f-0b22055067cd
Guest Configuration2f262ace-812a-4fd0-b731-b38ba9e9708dWindows machines should meet requirements for 'Security Options - System objects'Windows machines should have the specified Group Policy settings in the category 'Security Options - System objects' for case insensitivity for non-Windows subsystems and permissions of internal system objects. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 2f262ace-812a-4fd0-b731-b38ba9e9708d
Guest Configuration12017595-5a75-4bb1-9d97-4c2c939ea3c3Windows machines should meet requirements for 'Security Options - System settings'Windows machines should have the specified Group Policy settings in the category 'Security Options - System settings' for certificate rules on executables for SRP and optional subsystems. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 12017595-5a75-4bb1-9d97-4c2c939ea3c3
Guest Configuration8a39d1f1-5513-4628-b261-f469a5a3341b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - System settings'
Guest Configuration33936777-f2ac-45aa-82ec-07958ec9ade4Windows machines should meet requirements for 'Security Options - Audit'Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 33936777-f2ac-45aa-82ec-07958ec9ade4
Guest Configurationa1e8dda3-9fd2-4835-aec3-0e55531fde33[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration985285b7-b97a-419c-8d48-c88cc934c8d8[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configurationc04255ee-1b9f-42c1-abaa-bf1553f79930[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configurationc8abcef9-fc26-482f-b8db-5fa60ee4586d[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration35781875-8026-4628-b19b-f6efb4d88a1dWindows machines should meet requirements for 'System Audit Policies - Object Access'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Object Access' for auditing file, registry, SAM, storage, filtering, kernel, and other system types. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 35781875-8026-4628-b19b-f6efb4d88a1d
Guest Configurationba12366f-f9a6-42b8-9d98-157d0b1a837b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration6fe4ef56-7576-4dc4-8e9c-26bad4b087ce[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configuration30040dab-4e75-4456-8273-14b8f75d91d9[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Network Access'
Guest Configurationcaf2d518-f029-4f6b-833b-d7081702f253Windows machines should meet requirements for 'Security Options - Microsoft Network Server'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: caf2d518-f029-4f6b-833b-d7081702f253
Guest Configuration35d9882c-993d-44e6-87d2-db66ce21b636Windows machines should meet requirements for 'Windows Firewall Properties'Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 35d9882c-993d-44e6-87d2-db66ce21b636
Guest Configuratione3a77a94-cf41-4ee8-b45c-98be28841c03[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'
Guest Configurationf56a3ab2-89d1-44de-ac0d-2ada5962e22a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configuration67e010c1-640d-438e-a3a5-feaccb533a98Windows machines should meet requirements for 'Administrative Templates - Network'Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 67e010c1-640d-438e-a3a5-feaccb533a98
Guest Configuratione3d95ab7-f47a-49d8-a347-784177b6c94c[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configurationbc87d811-4a9b-47cc-ae54-0a41abda7768[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration0a9991e6-21be-49f9-8916-a06d934bcf29[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration7229bd6a-693d-478a-87f0-1dc1af06f3b8[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration42a07bbf-ffcf-459a-b4b1-30ecd118a505[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration43bb60fe-1d7e-4b82-9e93-496bfc99e7d5Windows machines should meet requirements for 'System Audit Policies - Account Logon'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Account Logon' for auditing credential validation and other account logon events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 43bb60fe-1d7e-4b82-9e93-496bfc99e7d5
Guest Configuration87845465-c458-45f3-af66-dcd62176f397Windows machines should meet requirements for 'System Audit Policies - Privilege Use'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Privilege Use' for auditing nonsensitive and other privilege use. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 87845465-c458-45f3-af66-dcd62176f397
Guest Configuration19be9779-c776-4dfa-8a15-a2fd5dc843d6Windows machines should meet requirements for 'System Audit Policies - Logon-Logoff'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Logon-Logoff' for auditing IPSec, network policy, claims, account lockout, group membership, and logon/logoff events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 19be9779-c776-4dfa-8a15-a2fd5dc843d6
Guest Configuration58383b73-94a9-4414-b382-4146eb02611bWindows machines should meet requirements for 'System Audit Policies - Detailed Tracking'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 58383b73-94a9-4414-b382-4146eb02611b
Guest Configurationce2370f6-0ac5-4d85-8ab4-10721cc640b0[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configurationee984370-154a-4ee8-9726-19d900e56fc0Windows machines should meet requirements for 'Security Options - Accounts'Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: ee984370-154a-4ee8-9726-19d900e56fc0
Guest Configurationdd4680ed-0559-4a6a-ad10-081d14cbb484[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configurationd6c69680-54f0-4349-af10-94dd05f4225eWindows machines should meet requirements for 'Security Options - Microsoft Network Client'Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Client' for Microsoft network client/server and SMB v1. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: d6c69680-54f0-4349-af10-94dd05f4225e
Guest Configurationf1f4825d-58fb-4257-8016-8c00e3c9ed9d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configuration12ae2d24-3805-4b37-9fa9-465968bfbcfa[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'
Guest Configuration8537fe96-8cbe-43de-b0ef-131bc72bc22aWindows machines should meet requirements for 'Windows Components'Windows machines should have the specified Group Policy settings in the category 'Windows Components' for basic authentication, unencrypted traffic, Microsoft accounts, telemetry, Cortana, and other Windows behaviors. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 8537fe96-8cbe-43de-b0ef-131bc72bc22a
Guest Configuration87b590fe-4a1d-4697-ae74-d4fe72ab786c[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configurationf8b0158d-4766-490f-bea0-259e52dba473[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration1f8c20ce-3414-4496-8b26-0e902a1541da[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configurationb4a4d1eb-0263-441b-84cb-a44073d8372dWindows machines should meet requirements for 'Security Options - Shutdown'Windows machines should have the specified Group Policy settings in the category 'Security Options - Shutdown' for allowing shutdown without logon and clearing the virtual memory pagefile. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: b4a4d1eb-0263-441b-84cb-a44073d8372d
Guest Configuration8316fa92-d69c-4810-8124-62414f560dcfWindows machines should meet requirements for 'System Audit Policies - System'Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - System' for auditing IPsec driver, system integrity, system extension, state change, and other system events. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 8316fa92-d69c-4810-8124-62414f560dcf
Guest Configuration620e58b5-ac75-49b4-993f-a9d4f0459636[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - System objects'
Guest Configuration6481cc21-ed6e-4480-99dd-ea7c5222e897[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configuration21e2995e-683e-497a-9e81-2f42ad07050a[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Audit'
Guest Configuratione425e402-a050-45e5-b010-bd3f934589fc[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-08-20 14:05:01
change: Previous DisplayName: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration1221c620-d201-468c-81e7-2817e6107e84Windows machines should meet requirements for 'Security Options - Network Security'Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-20 14:05:01
add: 1221c620-d201-468c-81e7-2817e6107e84
Guest Configurationb872a447-cc6f-43b9-bccf-45703cd81607[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration8bbd627e-4d25-4906-9a6e-3789780af3ec[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-08-20 14:05:01
change: Previous DisplayName: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'
Security Centerfb893a29-21bb-418c-a157-e99480ec364cKubernetes Services should be upgraded to a non-vulnerable Kubernetes versionUpgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Default: Audit
Allowed: (Audit, Disabled)
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
Security Center0e246bcf-5f6f-4f87-bc6f-775d4712c7eaAuthorized IP ranges should be defined on Kubernetes ServicesRestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Default: Audit
Allowed: (Audit, Disabled)
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Authorized IP ranges should be defined on Kubernetes Services
Security Center5f0f936f-2f01-4bf5-b6be-d423792fa562Vulnerabilities in Azure Container Registry images should be remediatedContainer image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-19 13:49:29
add: 5f0f936f-2f01-4bf5-b6be-d423792fa562
App Platformaf35e2a4-ef96-44e7-a9ae-853dd97032c4Azure Spring Cloud should use network injectionAzure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. Default: Audit
Allowed: (Audit, Disabled, Deny)
2020-08-19 13:49:29
add: af35e2a4-ef96-44e7-a9ae-853dd97032c4
Security Centerac4a19c2-fa67-49b4-8ae5-0b2e78c49457Role-Based Access Control (RBAC) should be used on Kubernetes ServicesTo provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Default: Audit
Allowed: (Audit, Disabled)
2020-08-19 13:49:29
change: Previous DisplayName: [Preview]: Role-Based Access Control (RBAC) should be used on Kubernetes Services
Storage2a1a9cdf-e04d-429a-8416-3bfb72a1b26fStorage accounts should restrict network access using virtual network rulesProtect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-08-18 14:06:57
add: 2a1a9cdf-e04d-429a-8416-3bfb72a1b26f
Storage6fac406b-40ca-413b-bf8e-0bf964659c25Storage accounts should use customer-managed key for encryptionSecure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. Default: Audit
Allowed: (Audit, Disabled)
2020-08-18 14:06:57
add: 6fac406b-40ca-413b-bf8e-0bf964659c25
Storage6edd7eda-6dd8-40f7-810d-67160c639cd9Storage accounts should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - https://aka.ms/azureprivatelinkoverview Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-08-18 14:06:57
add: 6edd7eda-6dd8-40f7-810d-67160c639cd9
App Configuration967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1App Configuration should use a customer-managed keyCustomer-managed keys provide enhanced data protection by allowing you to manage your encryption keys. This is often required to meet compliance requirements. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-08-05 13:05:29
change: Previous DisplayName: App Configuration should use a customer managed key
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows virtual machines
SQL3965c43d-b5f4-482e-b74a-d89ee0e0b3a8[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alertsEnsure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address to receive security alerts
SQLc8343d2f-fdc9-4a97-b76f-fc71d1163bfc[Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux virtual machines
SQLaeb23562-188d-47cb-80b8-551f16ef9fff[Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-08-05 13:05:29
change: Previous DisplayName: [Deprecated]: Email notifications to admins and subscription owners should be enabled in SQL Managed Instance advanced data security settings
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-08-05 13:05:29
change: Previous DisplayName: [Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identity
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-07-17 15:57:10
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-07-17 15:57:10
add: 497dff13-db2a-4c0f-8603-28fa3b331ab6
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-07-17 15:57:10
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-07-17 15:57:10
add: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e
Security Center47a6b606-51aa-4496-8bb7-64b11cf66adcAdaptive application controls for defining safe applications should be enabled on your machinesEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Adaptive application controls for whitelisting safe applications should be enabled on your machines
Security Center6581d072-105e-4418-827f-bd446d56421bAzure Defender for SQL servers on machines should be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced data security should be enabled on SQL Server on Virtual Machines
Security Center123a3936-f020-408a-ba0c-47873faf1534Allowlist rules in your adaptive application control policy should be updatedMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Whitelisting rules in your adaptive application control policy should be updated
SQLa8793640-60f7-487c-b5c3-1d37215905c4SQL Managed Instance should have the minimal TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled)
2020-07-14 15:28:17
add: a8793640-60f7-487c-b5c3-1d37215905c4
SQL32e6bbec-16b6-44c2-be37-c5b672d103cfAzure SQL Database should have the minimal TLS version of 1.2Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Default: Audit
Allowed: (Audit, Disabled)
2020-07-14 15:28:17
add: 32e6bbec-16b6-44c2-be37-c5b672d103cf
Security Center2913021d-f2fd-4f3d-b958-22354e2bdbcbAzure Defender for App Service should be enabledAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on App Service
Security Centerc25d9a16-bc35-4e15-a7e5-9db606bf9ed4Azure Defender for container registries should be enabledAzure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Azure Container Registry
Security Center523b5cd1-3e23-492f-a539-13118b6d1e3aAzure Defender for Kubernetes should be enabledAzure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Azure Kubernetes Service
Security Center0e6763cc-5078-4e64-889d-ff4d9a839047Azure Defender for Key Vault should be enabledAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Key Vault
Security Center308fbb08-4ab8-4e67-9b29-592e93fb94faAzure Defender for Storage should be enabledAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: Advanced threat protection should be enabled on Storage accounts
Security Center501541f7-f7e7-4cd6-868c-4190fdad3ac9A vulnerability assessment solution should be enabled on your virtual machinesAudits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-07-14 15:28:17
change: Previous DisplayName: [Preview] Vulnerability Assessment should be enabled on Virtual Machines
Networkbe7ed5c8-2660-4136-8216-e6f3412ba909[Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application GatewayRequires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Deny
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
change: Previous DisplayName: Web Application Firewall should be enabled for Azure Front Door Service or Application Gateway
Kubernetesc26596ff-4d70-4e6a-9a30-c2506bd2f80cKubernetes cluster containers should only use allowed capabilitiesRestrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: c26596ff-4d70-4e6a-9a30-c2506bd2f80c
Kubernetes1c6e92c9-99f0-4e55-9cf2-0c234dc48f99Kubernetes clusters should not allow container privilege escalationDo not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99
Networkf6b68e5a-7207-4638-a1fb-47d90404209e[Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door ServiceMandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. Default: Deny
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
change: Previous DisplayName: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door Service
SQL77e8b146-0078-4fb2-b002-e112381199f0Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnetVirtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. Fixed: AuditIfNotExists
2020-07-08 14:28:08
add: 77e8b146-0078-4fb2-b002-e112381199f0
Kubernetes16697877-1118-4fb1-9b65-9898ec2509ecKubernetes cluster pods should only use allowed volume typesPods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 16697877-1118-4fb1-9b65-9898ec2509ec
Kubernetes56d0a13f-712f-466b-8416-56fb354fb823Kubernetes cluster containers should not use forbidden sysctl interfacesContainers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 56d0a13f-712f-466b-8416-56fb354fb823
SQL7698e800-9299-47a6-b3b6-5a0fee576eedPrivate endpoint connections on Azure SQL Database should be enabledPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Default: Audit
Allowed: (Audit, Disabled)
2020-07-08 14:28:08
change: Previous DisplayName: Azure SQL Databases should have private endpoint connections
SQL1b8ca024-1d5c-4dec-8995-b1a932b41780Public network access on Azure SQL Database should be disabledDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
change: Previous DisplayName: Audit public network access setting for Azure SQL Database
Network425bea59-a659-4cbb-8d31-34499bd030b8Web Application Firewall (WAF) should use the specified mode for Azure Front Door ServiceMandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Azure Front Door Service. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
add: 425bea59-a659-4cbb-8d31-34499bd030b8
Kubernetes82985f06-dc18-4a48-bc1c-b9f4f0098cfeKubernetes cluster pods should only use approved host network and port rangeRestrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 82985f06-dc18-4a48-bc1c-b9f4f0098cfe
Kubernetes511f5417-5d12-434d-ab2e-816901e72a5eKubernetes cluster containers should only use allowed AppArmor profilesContainers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 511f5417-5d12-434d-ab2e-816901e72a5e
Kubernetes47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8Kubernetes cluster containers should not share host process ID or host IPC namespaceBlock pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8
Kubernetesf85eb0dd-92ee-40e9-8a76-db25a507d6d3Kubernetes cluster containers should only use allowed ProcMountTypePod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: f85eb0dd-92ee-40e9-8a76-db25a507d6d3
Kubernetes975ce327-682c-4f2e-aa46-b9598289b86cKubernetes cluster containers should only use allowed seccomp profilesPod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 975ce327-682c-4f2e-aa46-b9598289b86c
Network564feb30-bf6a-4854-b4bb-0d2d2d1e6c66Web Application Firewall (WAF) should be enabled for Application GatewayDeploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
add: 564feb30-bf6a-4854-b4bb-0d2d2d1e6c66
Network055aa869-bc98-4af8-bafc-23f1ab6ffe2cWeb Application Firewall (WAF) should be enabled for Azure Front Door Service serviceDeploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
add: 055aa869-bc98-4af8-bafc-23f1ab6ffe2c
Kubernetese1e6c427-07d9-46ab-9689-bfa85431e636Kubernetes cluster pods and containers should only use allowed SELinux optionsPods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: e1e6c427-07d9-46ab-9689-bfa85431e636
Network12430be1-6cc8-4527-a9a8-e3d38f250096Web Application Firewall (WAF) should use the specified mode for Application GatewayMandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-08 14:28:08
add: 12430be1-6cc8-4527-a9a8-e3d38f250096
Kubernetes098fc59e-46c7-4d99-9b16-64990e543d75Kubernetes cluster pod hostPath volumes should only use allowed host pathsLimit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: 098fc59e-46c7-4d99-9b16-64990e543d75
Kubernetesf4a8fce0-2dd5-4c21-9a36-8f0ec809d663Kubernetes cluster pod FlexVolume volumes should only use allowed driversPod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: f4a8fce0-2dd5-4c21-9a36-8f0ec809d663
Kubernetesf06ddb64-5fa3-4b77-b166-acb36f7f6042Kubernetes cluster pods and containers should only run with approved user and group IDsControl the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: f06ddb64-5fa3-4b77-b166-acb36f7f6042
Kubernetesdf49d893-a74c-421d-bc95-c663042e5b80Kubernetes cluster containers should run with a read only root file systemRun containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. Default: audit
Allowed: (audit, deny, disabled)
2020-07-08 14:28:08
add: df49d893-a74c-421d-bc95-c663042e5b80
SQLaeb23562-188d-47cb-80b8-551f16ef9fff[Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in SQL Managed Instance advanced threat protection settings. This setting ensures that any detections of anomalous activities on SQL Managed Instance are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL managed instance advanced data security settings
SQLbda18df3-5e41-4709-add9-2554ce68c966[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settingsIt's recommended to enable all Advanced Threat Protection types on your SQL Managed Instance. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL managed instance Advanced Data Security settings
SQLc8343d2f-fdc9-4a97-b76f-fc71d1163bfc[Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settingsAudit that 'email notification to admins and subscription owners' is enabled in the SQL server advanced threat protection settings. This ensures that any detections of anomalous activities on SQL server are reported as soon as possible to the admins. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings
SQL3965c43d-b5f4-482e-b74a-d89ee0e0b3a8[Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alertsEnsure that an email address is provided for the 'Send alerts to' field in the advanced data security settings. This email address receives alert notifications when anomalous activities are detected on SQL Managed Instance. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Advanced data security settings for SQL managed instance should contain an email address to receive security alerts
SQL7698e800-9299-47a6-b3b6-5a0fee576eedPrivate endpoint connections on Azure SQL Database should be enabledPrivate endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Default: Audit
Allowed: (Audit, Disabled)
2020-07-01 14:50:07
add: 7698e800-9299-47a6-b3b6-5a0fee576eed
SQL9677b740-f641-4f3c-b9c5-466005c85278[Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alertsEnsure that an email address is provided for the 'Send alerts to' field in the Advanced Data Security server settings. This email address receives alert notifications when anomalous activities are detected on SQL servers. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Advanced data security settings for SQL server should contain an email address to receive security alerts
SQLe756b945-1b1b-480b-8de8-9a0859d5f7ad[Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settingsIt is recommended to enable all Advanced Threat Protection types on your SQL servers. Enabling all types protects against SQL injection, database vulnerabilities, and any other anomalous activities. Default: Disabled
Allowed: (AuditIfNotExists, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings
SignalR53503636-bcc9-4748-9663-5348217f160fAzure SignalR Service should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-01 14:50:07
change: Previous DisplayName: [Preview]: Azure SignalR Service should use private links
SQL1b8ca024-1d5c-4dec-8995-b1a932b41780Public network access on Azure SQL Database should be disabledDisabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-07-01 14:50:07
add: 1b8ca024-1d5c-4dec-8995-b1a932b41780
VM Image Builder2154edb9-244f-4741-9970-660785bccdaaVM Image Builder templates should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet. Default: Audit
Allowed: (Audit, Disabled, Deny)
2020-07-01 14:50:07
add: 2154edb9-244f-4741-9970-660785bccdaa
Guest Configuration5fc23db3-dd4d-4c56-bcc7-43626243e601[Deprecated]: Audit Windows virtual machines on which the Windows Guest Configuration extension is not enabledThis policy audits Windows virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-30 14:58:19
change: Previous DisplayName: Audit prerequisites to enable Guest Configuration policies on Windows VMs.
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7e[Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.n/an/a
2020-06-29 05:46:45
remove: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e (i)
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6[Preview]: Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.n/an/a
2020-06-29 05:46:45
remove: 497dff13-db2a-4c0f-8603-28fa3b331ab6 (i)
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-29 05:46:45
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-29 05:46:45
change: Previous DisplayName: [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Guest Configurationfb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Linux VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
Guest Configuration0ecd903d-91e7-4726-83d3-a229d7f2e293[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.This policy creates a system-assigned managed identity and deploys the VM extension for Guest Configuration on Windows VMs. This is a prerequisite for Guest Configuration Policy and must be assigned to the scope before using any Guest Configuration policy. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
change: Previous DisplayName: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
API for FHIR0fea8f8a-4169-495d-8307-30ec335f387dCORS should not allow every domain to access your API for FHIRCross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. Default: audit
Allowed: (audit, disabled)
2020-06-23 16:03:25
add: 0fea8f8a-4169-495d-8307-30ec335f387d
Cosmos DB862e97cf-49fc-4a5c-9de4-40d4e2e7c8ebAzure Cosmos DB accounts should have firewall rulesFirewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. Default: Deny
Allowed: (Audit, Deny, Disabled)
2020-06-23 16:03:25
add: 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb
Security Center7fe3b40f-802b-4cdd-8bd4-fd799c948cc2Azure Defender for Azure SQL Database servers should be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 7fe3b40f-802b-4cdd-8bd4-fd799c948cc2
Security Center308fbb08-4ab8-4e67-9b29-592e93fb94faAzure Defender for Storage should be enabledAzure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 308fbb08-4ab8-4e67-9b29-592e93fb94fa
Kubernetes0a15ec92-a229-4763-bb14-0ea34a568f8dAzure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clustersAzure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Default: Audit
Allowed: (Audit, Disabled)
2020-06-23 16:03:25
add: 0a15ec92-a229-4763-bb14-0ea34a568f8d
Cosmos DB1f905d99-2ab7-462c-a6b0-f709acca6c8fAzure Cosmos DB accounts should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/cosmosdb-cmk. Default: audit
Allowed: (audit, deny, disabled)
2020-06-23 16:03:25
add: 1f905d99-2ab7-462c-a6b0-f709acca6c8f
Security Center4da35fc9-c9e7-4960-aec9-797fe7d9051dAzure Defender for servers should be enabledAzure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 4da35fc9-c9e7-4960-aec9-797fe7d9051d
Security Center2913021d-f2fd-4f3d-b958-22354e2bdbcbAzure Defender for App Service should be enabledAzure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 2913021d-f2fd-4f3d-b958-22354e2bdbcb
Guest Configurationfaf25c8c-9598-4305-b4de-0aee1317fb31[Deprecated]: Audit Linux virtual machines on which the Linux Guest Configuration extension is not enabledThis policy audits Linux virtual machines hosted in Azure that are supported by Guest Configuration but do not have the Guest Configuration extension enabled. For more information on Guest Configuration, visit https://aka.ms/gcpol. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: faf25c8c-9598-4305-b4de-0aee1317fb31
Security Center0e6763cc-5078-4e64-889d-ff4d9a839047Azure Defender for Key Vault should be enabledAzure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 0e6763cc-5078-4e64-889d-ff4d9a839047
Guest Configuration385f5831-96d4-41db-9a3c-cd3af78aaae6Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMsThis policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
add: 385f5831-96d4-41db-9a3c-cd3af78aaae6
Machine Learning6a6f7384-63de-11ea-bc55-0242ac130003[Preview]: Configure code signing for training code for specified Azure Machine Learning computesProvide code signing for training code in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-06-23 16:03:25
add: 6a6f7384-63de-11ea-bc55-0242ac130003
Security Center523b5cd1-3e23-492f-a539-13118b6d1e3aAzure Defender for Kubernetes should be enabledAzure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 523b5cd1-3e23-492f-a539-13118b6d1e3a
Guest Configuration3cf2ab00-13f1-4d0c-8971-2ac904541a7eAdd system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identitiesThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-06-23 16:03:25
add: 3cf2ab00-13f1-4d0c-8971-2ac904541a7e
Security Center6581d072-105e-4418-827f-bd446d56421bAzure Defender for SQL servers on machines should be enabledAzure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: 6581d072-105e-4418-827f-bd446d56421b
Guest Configuration331e8ea8-378a-410f-a2e5-ae22f38bb0daDeploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMsThis policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: deployIfNotExistsContributor
2020-06-23 16:03:25
add: 331e8ea8-378a-410f-a2e5-ae22f38bb0da
Security Centerc25d9a16-bc35-4e15-a7e5-9db606bf9ed4Azure Defender for container registries should be enabledAzure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-23 16:03:25
add: c25d9a16-bc35-4e15-a7e5-9db606bf9ed4
Guest Configuration497dff13-db2a-4c0f-8603-28fa3b331ab6Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identityThis policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. Fixed: modifyContributor
2020-06-23 16:03:25
add: 497dff13-db2a-4c0f-8603-28fa3b331ab6
Monitoring4da21710-ce6f-4e06-8cdb-5cc4c93ffbeeDeploy Dependency agent for Linux virtual machinesDeploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. Fixed: deployIfNotExistsLog Analytics Contributor
2020-06-22 16:06:25
change: Previous DisplayName: Deploy Dependency agent for Linux VMs
Monitoring1c210e94-a481-4beb-95fa-1571b434fb04Deploy - Configure Dependency agent to be enabled on Windows virtual machinesDeploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2020-06-22 16:06:25
change: Previous DisplayName: Deploy Dependency agent for Windows VMs
Networkf6b68e5a-7207-4638-a1fb-47d90404209e[Deprecated]: Web Application Firewall should be a set mode for Application Gateway and Azure Front Door ServiceMandates detect or prevent mode to be active on all Web Application Firewall policies for Azure Front Door and Application Gateway. Web Application Firewall policies can have a consistent mode configuration across a resource group. Default: Deny
Allowed: (Audit, Deny, Disabled)
2020-06-11 19:46:04
add: f6b68e5a-7207-4638-a1fb-47d90404209e
Networkbe7ed5c8-2660-4136-8216-e6f3412ba909[Deprecated]: Web Application Firewall should be enabled for Azure Front Door Service or Application GatewayRequires Web Application Firewall on any Azure Front Door Service or Application Gateway. A Web Application Firewall provides greater security for your other Azure resources. Default: Deny
Allowed: (Audit, Deny, Disabled)
2020-06-11 19:46:04
add: be7ed5c8-2660-4136-8216-e6f3412ba909
Guest Configuration7066131b-61a6-4917-a7e4-72e8983f0aa6[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration36e17963-7202-494a-80c3-f508211c826b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration7227ebe5-9ff7-47ab-b823-171cd02fb90f[Deprecated]: Show audit results from Windows VMs on which the DSC configuration is not compliantThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the DSC configuration is not compliant
Guest Configuration30040dab-4e75-4456-8273-14b8f75d91d9[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Access'
Guest Configurationa030a57e-4639-4e8f-ade9-a92f33afe7ee[Deprecated]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expectedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configurationf56a3ab2-89d1-44de-ac0d-2ada5962e22a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'
Guest Configurationec49586f-4939-402d-a29e-6ff502b20592[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords
Guest Configuration02a84be7-c304-421f-9bb7-5d2c26af54ad[Deprecated]: Show audit results from Windows VMs on which the remote connection status does not match the specified oneThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the remote host connection status does not match the specified one. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs on which the remote host connection status does not match the specified one
Cognitive Services0725b4dd-7e76-479c-a735-68e7ee23d5caCognitive Services accounts should disable public network accessDisabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account. Learn more at: https://go.microsoft.com/fwlink/?linkid=2129800. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 0725b4dd-7e76-479c-a735-68e7ee23d5ca
Guest Configuration24dde96d-f0b1-425e-884f-4a1421e2dcdc[Deprecated]: Show audit results from Windows VMs that do not have a maximum password age of 70 daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a maximum password age of 70 days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a maximum password age of 70 days
Guest Configurationc5fbc59e-fb6f-494f-81e2-d99a671bdaa8[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that contain certificates expiring within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days
Guest Configuration7229bd6a-693d-478a-87f0-1dc1af06f3b8[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration9328f27e-611e-44a7-a244-39109d7d35ab[Deprecated]: Show audit results from Windows VMs that contain certificates expiring within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that contain certificates expiring within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that contain certificates expiring within the specified number of days
Guest Configurationdd4680ed-0559-4a6a-ad10-081d14cbb484[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configurationec7ac234-2af5-4729-94d2-c557c071799d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configurationbbcdd8fa-b600-4ee3-85b8-d184e3339652[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configuration5aa11bbc-5c76-4302-80e5-aba46a4282e7[Deprecated]: Show audit results from Windows VMs that do not have a minimum password age of 1 dayThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have a minimum password age of 1 day. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have a minimum password age of 1 day
Guest Configuration42a07bbf-ffcf-459a-b4b1-30ecd118a505[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Security Centerbb91dfba-c30d-4263-9add-9c2384e659a6Non-internet-facing virtual machines should be protected with network security groupsProtect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG). Learn more about controlling traffic with NSGs at https://aka.ms/nsg-doc Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-09 16:25:53
add: bb91dfba-c30d-4263-9add-9c2384e659a6
Guest Configuration23020aa6-1135-4be2-bae2-149982b06eca[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 charactersThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not restrict the minimum password length to 14 characters. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration86880e5c-df35-43c5-95ad-7e120635775e[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configurationf19aa1c1-6b91-4c27-ae6a-970279f03db9[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644
Guest Configurationc40c9087-1981-4e73-9f53-39743eda9d05[Deprecated]: Show audit results from Linux VMs that have accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that have accounts without passwords
Guest Configurationbc87d811-4a9b-47cc-ae54-0a41abda7768[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuration7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configuration97646672-5efa-4622-9b54-740270ad60bf[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configuration2d60d3b7-aa10-454c-88a8-de39d99d17c6[Deprecated]: Show audit results from Windows VMs that do not store passwords using reversible encryptionThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not store passwords using reversible encryption. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not store passwords using reversible encryption
SignalR53503636-bcc9-4748-9663-5348217f160fAzure SignalR Service should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: https://aka.ms/asrs/privatelink. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 53503636-bcc9-4748-9663-5348217f160f
Cognitive Services67121cc7-ff39-4ab8-b7e3-95b84dab487dCognitive Services accounts should enable data encryption with a customer-managed keyCustomer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at https://go.microsoft.com/fwlink/?linkid=2121321. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 67121cc7-ff39-4ab8-b7e3-95b84dab487d
Guest Configurationc961dac9-5916-42e8-8fb1-703148323994[Deprecated]: Show audit results from Windows VMs configurations in 'User Rights Assignment'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'User Rights Assignment'
Guest Configurationf48b2913-1dc5-4834-8c72-ccc1dfd819bb[Deprecated]: Show audit results from Windows VMs that do not have the password complexity setting enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not have the password complexity setting enabled
Guest Configurationd38b4c26-9d2e-47d7-aefe-18d859a8706a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliantThis policy creates a Guest Configuration assignment to audit Windows VMs on which the Desired State Configuration (DSC) configuration is not compliant. This policy is only applicable to machines with WMF 4 and above. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant
Guest Configurationf8b0158d-4766-490f-bea0-259e52dba473[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'
Guest Configuration21e2995e-683e-497a-9e81-2f42ad07050a[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Audit'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Audit'
Guest Configuration6fe4ef56-7576-4dc4-8e9c-26bad4b087ce[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Server'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Server'
Guest Configurationc1e289c0-ffad-475d-a924-adc058765d65[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
Guest Configuratione425e402-a050-45e5-b010-bd3f934589fc[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuration8a39d1f1-5513-4628-b261-f469a5a3341b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System settings'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System settings'
Guest Configuration620e58b5-ac75-49b4-993f-a9d4f0459636[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - System objects'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - System objects'
Guest Configurationa1e8dda3-9fd2-4835-aec3-0e55531fde33[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - System'
Guest Configuration8e170edb-e0f5-497a-bb36-48b3280cec6a[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration6481cc21-ed6e-4480-99dd-ea7c5222e897[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'
Guest Configuration985285b7-b97a-419c-8d48-c88cc934c8d8[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Network'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'
Guest Configuration87b590fe-4a1d-4697-ae74-d4fe72ab786c[Deprecated]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - Control Panel'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Administrative Templates - Control Panel'
Guest Configuration8bbd627e-4d25-4906-9a6e-3789780af3ec[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Firewall Properties'
Guest Configurationa9a33475-481d-4b81-9116-0bf02ffe67e8[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Detailed Tracking'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
Guest Configuration815dcc9f-6662-43f2-9a03-1b83e9876f24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'User Rights Assignment'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'
Kubernetes1d61c4d2-aef2-432b-87fc-7f96b019b7e1Configure Kubernetes clusters with specified GitOps configuration using no secretsDeploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Contributor
2020-06-09 16:25:53
add: 1d61c4d2-aef2-432b-87fc-7f96b019b7e1
Guest Configuration97b595c8-fd10-400e-8543-28e2b9138b13[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Policy Change'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
Guest Configuration60aeaf73-a074-417a-905f-7ce9df0ff77b[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Object Access'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Object Access'
Guest Configuration225e937e-d32e-4713-ab74-13ce95b3519a[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration5bb36dda-8a78-4df9-affd-4f05a8612a8a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified oneThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the remote host connection status does not match the specified one. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one
Guest Configuration3750712b-43d0-478e-9966-d2c26f6141b9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configuration7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabledThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled
Guest Configuration12ae2d24-3805-4b37-9fa9-465968bfbcfa[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System objects'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'
Guest Configurationcdbf72d9-ac9c-4026-8a3a-491a5ac59293[Deprecated]: Show audit results from Windows VMs that allow re-use of the previous 24 passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that allow re-use of the previous 24 passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that allow re-use of the previous 24 passwords
Guest Configurationfcbc55c9-f25a-4e55-a6cb-33acb3be778b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Microsoft Network Client'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Microsoft Network Client'
Guest Configurationddc0a4d5-5e08-43d5-9fd9-b586d8d7116b[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration726671ac-c4de-4908-8c7d-6043ae62e3b6[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwordsThis policy creates a Guest Configuration assignment to audit Windows virtual machines that allow re-use of the previous 24 passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords
Guest Configuration5aebc8d1-020d-4037-89a0-02043a7524ec[Deprecated]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 charactersThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not restrict the minimum password length to 14 characters. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not restrict the minimum password length to 14 characters
Guest Configuration68511db2-bd02-41c4-ae6b-1900a012968a[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expectedThis policy creates a Guest Configuration assignment to audit Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected
Guest Configuration7e84ba44-6d03-46fd-950e-5efa5a1112fa[Deprecated]: Show audit results from Windows VMs that have not restarted within the specified number of daysThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that have not restarted within the specified number of days. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that have not restarted within the specified number of days
Guest Configuration29829ec2-489d-4925-81b7-bda06b1718e0[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - User Account Control'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - User Account Control'
Guest Configuratione3a77a94-cf41-4ee8-b45c-98be28841c03[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration7040a231-fb65-4412-8c0a-b365f4866c24[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'
Guest Configuration3d7b154e-2700-4c8c-9e46-cb65ac1578c2[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Devices'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Devices'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Devices'
Guest Configuration356a906e-05e5-4625-8729-90771e0ee934[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a maximum password age of 70 days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days
Cognitive Services46aa9b05-0e60-4eae-a88b-1e9d374fa515Cognitive Services accounts should use customer owned storageUse customer owned storage to control the data stored at rest in Cognitive Services. To learn more about customer owned storage, visit https://aka.ms/cogsvc-cmk. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 46aa9b05-0e60-4eae-a88b-1e9d374fa515
Guest Configuration40917425-69db-4018-8dae-2a0556cef899[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - System'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'
Guest Configurationc8abcef9-fc26-482f-b8db-5fa60ee4586d[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Interactive Logon'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Interactive Logon'
Guest Configurationb18175dd-c599-4c64-83ba-bb018a06d35b[Deprecated]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that do not have the passwd file permissions set to 0644
Guest Configuration5c028d2a-1889-45f6-b821-31f42711ced8[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Network Security'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Network Security'
Guest Configuration0a9991e6-21be-49f9-8916-a06d934bcf29[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Account Management'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'
Guest Configuration106ccbe4-a791-4f33-a44a-06796944b8d5[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted RootThis policy creates a Guest Configuration assignment to audit Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configuration2d67222d-05fd-4526-a171-2ee132ad9e83[Deprecated]: Show audit results from Linux VMs that allow remote connections from accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Linux VMs that allow remote connections from accounts without passwords
Guest Configuratione3d95ab7-f47a-49d8-a347-784177b6c94c[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configurationce2370f6-0ac5-4d85-8ab4-10721cc640b0[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Privilege Use'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
Guest Configurationb872a447-cc6f-43b9-bccf-45703cd81607[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Accounts'
Guest Configuration437a1f8f-8552-47a8-8b12-a2fee3269dd5[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - System settings'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'
Cognitive Services2bdd0062-9d75-436e-89df-487dd8e4b3c7[Deprecated]: Cognitive Services accounts should enable data encryptionThis policy is deprecated. Cognitive Services have data encryption enforced. Default: Disabled
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 2bdd0062-9d75-436e-89df-487dd8e4b3c7
Guest Configurationf3b9ad83-000d-4dc1-bff0-6d54533dd03f[Deprecated]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted RootThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows VMs that do not contain the specified certificates in the Trusted Root Certification Authorities certificate store (Cert:\LocalMachine\Root). For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs that do not contain the specified certificates in Trusted Root
Guest Configurationc04255ee-1b9f-42c1-abaa-bf1553f79930[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Cognitive Services11566b39-f7f7-4b82-ab06-68d8700eb0a4[Deprecated]: Cognitive Services accounts should use customer owned storage or enable data encryption.This policy is deprecated. Cognitive Services have data encryption enforced. Default: Disabled
Allowed: (Audit, Deny, Disabled)
2020-06-09 16:25:53
add: 11566b39-f7f7-4b82-ab06-68d8700eb0a4
Guest Configuratione5b81f87-9185-4224-bf00-9f505e9f89f3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Accounts'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'
Guest Configurationf1f4825d-58fb-4257-8016-8c00e3c9ed9d[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Administrative Templates - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
Guest Configurationba12366f-f9a6-42b8-9d98-157d0b1a837b[Deprecated]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Recovery console'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Options - Recovery console'
Guest Configuration1f8c20ce-3414-4496-8b26-0e902a1541da[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Shutdown'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'
Guest Configuration8ff0b18b-262e-4512-857a-48ad0aeb9a78[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryptionThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not store passwords using reversible encryption. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption
Guest Configurationb3802d79-dd88-4bce-b81d-780218e48280[Deprecated]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'System Audit Policies - Logon-Logoff'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
Guest Configuration630c64f9-8b6b-4c64-b511-6544ceff6fd6Authentication to Linux machines should require SSH keysAlthough SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-09 16:25:53
add: 630c64f9-8b6b-4c64-b511-6544ceff6fd6
Guest Configuration3470477a-b35a-49db-aca5-1073d04524fe[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords
Guest Configurationddb53c61-9db4-41d4-a953-2abff5b66c12[Deprecated]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Security Settings - Account Policies'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Security Settings - Account Policies'
Guest Configuration16390df4-2f73-4b42-af13-c801066763df[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 dayThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have a minimum password age of 1 day. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day
Guest Configurationf4b245d4-46c9-42be-9b1a-49e2b5b94194[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of daysThis policy creates a Guest Configuration assignment to audit Windows virtual machines that have not restarted within the specified number of days. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days
Guest Configuration909c958d-1b99-4c74-b88f-46a5c5bc34f9[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'
Guest Configuration498b810c-59cd-4222-9338-352ba146ccf3[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'This policy creates a Guest Configuration assignment to audit Windows virtual machines with non-compliant settings in Group Policy category: 'Security Options - Audit'. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: deployIfNotExistsContributor
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'
Guest Configuration9178b430-2295-406e-bb28-f6a7a2a2f897[Deprecated]: Show audit results from Windows VMs configurations in 'Windows Components'This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines with non-compliant settings in Group Policy category: 'Windows Components'. For more information on Guest Configuration policies, please visit https://aka.ms/gcpol Fixed: auditIfNotExists
2020-06-09 16:25:53
change: Previous DisplayName: [Preview]: Show audit results from Windows VMs configurations in 'Windows Components'
Security Center47a6b606-51aa-4496-8bb7-64b11cf66adcAdaptive application controls for defining safe applications should be enabled on your machinesEnable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-08 18:42:36
change: Previous DisplayName: Adaptive Application Controls should be enabled on virtual machines
SQL1b7aa243-30e4-4c9e-bca8-d0d3022b634aVulnerability assessment should be enabled on SQL Managed InstanceAudit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-08 18:42:36
change: Previous DisplayName: Vulnerability assessment should be enabled on your SQL managed instances
SQLabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9Azure Defender for SQL should be enabled for unprotected SQL Managed InstancesAudit each SQL Managed Instance without advanced data security. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-08 18:42:36
change: Previous DisplayName: Advanced data security should be enabled on your SQL managed instances
Security Centera7aca53f-2ed4-4466-a25e-0b45ade68efdAzure DDoS Protection Standard should be enabledDDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-08 18:42:36
change: Previous DisplayName: DDoS Protection Standard should be enabled
Kubernetes servicea2d3ed81-8d11-4079-80a5-1faadc0024f4[Deprecated]: Ensure CPU and memory resource limits defined on containers in AKSThis policy ensures CPU and memory resource limits are defined on containers in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure CPU and memory resource limits defined on containers in AKS
Security Centerbd352bd5-2853-4985-bf0d-73806b4a5744IP Forwarding on your virtual machine should be disabledEnabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Preview]: IP Forwarding on your virtual machine should be disabled
Kubernetes servicea74d8f00-2fd9-4ce4-968e-0ee1eb821698[Deprecated]: Enforce internal load balancers in AKSThis policy enforces load balancers do not have public IPs in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce internal load balancers in AKS
Kubernetes service5f86cb6e-c4da-441b-807c-44bd0cc14e66[Deprecated]: Ensure only allowed container images in AKSThis policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure only allowed container images in AKS
Kubernetes service7ce7ac02-a5c6-45d6-8d1b-844feb1c1531[Deprecated]: Do not allow privileged containers in AKSThis policy does not allow privileged containers creation in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Do not allow privileged containers in AKS
Kubernetes service0f636243-1b1c-4d50-880f-310f6199f2cb[Deprecated]: Ensure containers listen only on allowed ports in AKSThis policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS
Kubernetes service25dee3db-6ce0-4c02-ab5d-245887b24077[Deprecated]: Ensure services listen only on allowed ports in AKSThis policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS
Kubernetes service16c6ca72-89d2-4798-b87e-496f9de7fcb7[Deprecated]: Enforce labels on pods in AKSThis policy enforces the specified labels are provided for pods in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce labels on pods in AKS
Security Centerb0f33259-77d7-4c9e-aac6-3aabcfae693cManagement ports of virtual machines should be protected with just-in-time network access controlPossible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: Just-In-Time network access control should be applied on virtual machines
Kubernetes serviced011d9f7-ba32-4005-b727-b3d09371ca60[Deprecated]: Enforce unique ingress hostnames across namespaces in AKSThis policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS
Kubernetes service2fbff515-eecc-4b7e-9b63-fcc7138b7dc3[Deprecated]: Enforce HTTPS ingress in AKSThis policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies. Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: [Limited Preview]: [AKS] Enforce HTTPS ingress in AKS
Cache22bee202-a82f-4305-9a2a-6d7f44d4dedbOnly secure connections to your Azure Cache for Redis should be enabledAudit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-06-01 18:36:18
change: Previous DisplayName: Only secure connections to your Redis Cache should be enabled
Monitoringd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e[Preview]: Log Analytics agent should be installed on your Windows Azure Arc machinesThis policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-05-29 15:39:09
add: d69b1763-b96d-40b8-a2d9-ca31e9fd0d3e
Cosmos DB0b7ef78e-a035-4f23-b9bd-aff122a1b1cfAzure Cosmos DB throughput should be limitedThis policy enables you to restrict the maximum throughput your organization can specify when creating Azure Cosmos DB databases and containers through the resource provider. It blocks the creation of autoscale resources. Default: deny
Allowed: (audit, deny, disabled)
2020-05-29 15:39:09
add: 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf
Security Centerf1525828-9a90-4fcf-be48-268cdd02361eDeploy Workflow Automation for Azure Security Center alertsEnable automation of Azure Security Center alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: f1525828-9a90-4fcf-be48-268cdd02361e
Security Centercdfcce10-4578-4ecd-9703-530938e4abcbDeploy export to Event Hub for Azure Security Center dataEnable export to Event Hub of Azure Security Center data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: cdfcce10-4578-4ecd-9703-530938e4abcb
Container Registryd0793b48-0edc-4296-a390-4c75d1bdfd71Container registries should not allow unrestricted network accessAzure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: https://aka.ms/acr/portal/public-network and here https://aka.ms/acr/vnet. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should not allow unrestricted network access
Security Centerffb6f416-7bd2-4488-8828-56585fef2be9Deploy export to Log Analytics workspace for Azure Security Center dataEnable export to Log Analytics workspace of Azure Security Center data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: ffb6f416-7bd2-4488-8828-56585fef2be9
Monitoringdeacecc0-9f84-44d2-bb82-46f32d766d43Configure Dependency agent on Azure Arc enabled Linux serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2020-05-29 15:39:09
add: deacecc0-9f84-44d2-bb82-46f32d766d43
Security Center73d6ab6c-2475-4850-afd6-43795f3492efDeploy Workflow Automation for Azure Security Center recommendationsEnable automation of Azure Security Center recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. Fixed: deployIfNotExistsContributor
2020-05-29 15:39:09
add: 73d6ab6c-2475-4850-afd6-43795f3492ef
Container Registry5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580Container registries should be encrypted with a customer-managed keyUse customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/acr/CMK. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should be encrypted with a Customer-Managed Key (CMK)
Security Center123a3936-f020-408a-ba0c-47873faf1534Allowlist rules in your adaptive application control policy should be updatedMonitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-05-29 15:39:09
add: 123a3936-f020-408a-ba0c-47873faf1534
Event Grid4b90e17e-8448-49db-875e-bd83fb6f804fAzure Event Grid topics should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
2020-05-29 15:39:09
add: 4b90e17e-8448-49db-875e-bd83fb6f804f
Cosmos DB4750c32b-89c0-46af-bfcb-2e4541a818d5Azure Cosmos DB key based metadata write access should be disabledThis policy enables you to ensure all Azure Cosmos DB accounts disable key based metadata write access. Fixed: append
2020-05-29 15:39:09
add: 4750c32b-89c0-46af-bfcb-2e4541a818d5
Monitoring91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4Configure Dependency agent on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Deploy Dependency agent to hybrid Windows VMs managed in Azure Arc
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203Configure Log Analytics agent on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Deploy Log Analytics agent to hybrid Windows VMs managed in Azure Arc
Event Grid9830b652-8523-49cc-b1b3-e17dce1127caAzure Event Grid domains should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/privateendpoints. Default: Audit
Allowed: (Audit, Disabled)
2020-05-29 15:39:09
add: 9830b652-8523-49cc-b1b3-e17dce1127ca
API Managementef619a2c-cc4d-4d03-b2ba-8c94a834d85bAPI Management services should use a virtual networkAzure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. Default: Audit
Allowed: (Audit, Disabled)
2020-05-29 15:39:09
add: ef619a2c-cc4d-4d03-b2ba-8c94a834d85b
Monitoring842c54e8-c2f9-4d79-ae8d-38d8b8019373[Preview]: Log Analytics agent should be installed on your Linux Azure Arc machinesThis policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-05-29 15:39:09
add: 842c54e8-c2f9-4d79-ae8d-38d8b8019373
Monitoring9d2b61b4-1d14-4a63-be30-d4498e7ad2cfConfigure Log Analytics agent on Azure Arc enabled Linux serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2020-05-29 15:39:09
add: 9d2b61b4-1d14-4a63-be30-d4498e7ad2cf
Container Registrye8eef0a8-67cf-4eb4-9386-14b0e78733d4Container registries should use private linkAzure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: https://aka.ms/acr/private-link. Default: Audit
Allowed: (Audit, Disabled)
2020-05-29 15:39:09
change: Previous DisplayName: [Preview]: Container Registries should use private links
Cognitive Services037eea7a-bd0a-46c5-9a66-03aea78705d3Cognitive Services accounts should restrict network accessNetwork access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-05-29 15:39:09
add: 037eea7a-bd0a-46c5-9a66-03aea78705d3
Cache7d092e0a-7acd-40d2-a975-dca21cae48c4Azure Cache for Redis should reside within a virtual networkAzure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-05-21 16:06:38
add: 7d092e0a-7acd-40d2-a975-dca21cae48c4
Monitoring69af7d4a-7b18-4044-93a9-2651498ef203Configure Log Analytics agent on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics agent virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2020-05-21 16:06:38
add: 69af7d4a-7b18-4044-93a9-2651498ef203
Security Center8e7da0a5-0a0e-4bbc-bfc0-7773c018b616Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2020-05-13 05:56:52
add: 8e7da0a5-0a0e-4bbc-bfc0-7773c018b616
Security Center6df2fee6-a9ed-4fef-bced-e13be1b25f1cEnable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Contributor
2020-05-13 05:56:52
add: 6df2fee6-a9ed-4fef-bced-e13be1b25f1c
Machine Learning3948394e-63de-11ea-bc55-0242ac130003[Preview]: Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computesConfigure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes and can be assigned at the workspace. For more information. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-05-13 05:56:52
add: 3948394e-63de-11ea-bc55-0242ac130003
Machine Learning5853517a-63de-11ea-bc55-0242ac130003[Preview]: Configure allowed registries for specified Azure Machine Learning computesProvide registries that are allowed in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-05-13 05:56:52
add: 5853517a-63de-11ea-bc55-0242ac130003
Monitoring91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4Configure Dependency agent on Azure Arc enabled Windows serversEnable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. Default: DeployIfNotExists
Allowed: (DeployIfNotExists, Disabled)
Log Analytics Contributor
2020-05-13 05:56:52
add: 91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4
Machine Learning77eeea86-7e81-4a7d-9067-de844d096752[Preview]: Configure allowed Python packages for specified Azure Machine Learning computesProvide allowed Python packages in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-05-13 05:56:52
add: 77eeea86-7e81-4a7d-9067-de844d096752
Machine Learning53c70b02-63dd-11ea-bc55-0242ac130003[Preview]: Configure allowed module authors for specified Azure Machine Learning computesProvide allowed module authors in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-05-13 05:56:52
add: 53c70b02-63dd-11ea-bc55-0242ac130003
Machine Learning1d413020-63de-11ea-bc55-0242ac130003[Preview]: Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computesProvide log filter expression and datastore to be used for full logs in specified Azure Machine Learning computes and can be assigned at the workspace. For more information, visit https://aka.ms/amlpolicydoc. Default: enforceSetting
Allowed: (enforceSetting, disabled)
2020-05-13 05:56:52
add: 1d413020-63de-11ea-bc55-0242ac130003
Computecccc23c7-8427-4f53-ad12-b6a63eb452b3Allowed virtual machine size SKUsThis policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. Fixed: Deny
2020-05-09 14:57:51
change: Previous DisplayName: Allowed virtual machine SKUs
Storage34c877ad-507e-4c82-993e-3452a6e0ad3cStorage accounts should restrict network accessNetwork access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Default: Audit
Allowed: (Audit, Deny, Disabled)
2020-05-09 14:57:51
change: Previous DisplayName: Audit unrestricted network access to storage accounts
SQL83cef61d-dbd1-4b20-a4fc-5fbc7da10833MySQL servers should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-04-28 14:50:57
add: 83cef61d-dbd1-4b20-a4fc-5fbc7da10833
SQL18adea5e-f416-4d0f-8aa8-d24321e3e274PostgreSQL servers should use customer-managed keys to encrypt data at restUse customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
2020-04-28 14:50:57
add: 18adea5e-f416-4d0f-8aa8-d24321e3e274
SQLd9844e8a-1437-4aeb-a32c-0c992f056095Public network access should be disabled for MySQL serversDisable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
2020-04-28 14:50:57
add: d9844e8a-1437-4aeb-a32c-0c992f056095
SQLfdccbe47-f3e3-4213-ad5d-ea459b2fa077Public network access should be disabled for MariaDB serversDisable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Default: Audit
Allowed: (Audit, Disabled)
2020-04-28 14:50:57
add: fdccbe47-f3e3-4213-ad5d-ea459b2fa077
SQLb52376f7-9612-48a1-81cd-1ffe4b61032cPublic network access should be disabled for PostgreSQL serversDisable the public network access property to improve security and ensure your Azure Database for Postg